We have a JIRA for the $subject
https://issues.redhat.com/browse/KEYCLOAK-1515 .
This is about the ability to being able to automatically redirect to the
specified identity provider for the users with the emails of specified
domain. So for example all users with the email like "@
acme.org" will be
redirected to specified IDP "acme oidc", which is configured in
Keycloak. This will be used usually with the Identity-first flow - case
when UsernameOnly authenticator is used.
How to address this? My current thinking is about development of new
authenticator. The authenticator will have the configuration option,
which will allow to specify mapping between email domains and identity
providers. For example:
acme.org -> acme OIDC provider
foo.org -> Foo SAML provider
The authenticator will need to be manually added by the administrator to
the authentication flow. Usually it will be used together with
"UsernameOnlyAuthenticator" and will be added directly after it.
Another option is to use existing "Identity Provider Redirector"
authenticator. However it seems that new authenticator implementation
will be a bit cleaner option. The current "Identity Provider Redirector"
is usually used at the beginning of the authenticator flow as it doesn't
require any user input. However the new authenticator will usually
require some user input as user will need to be known.
WDYT?
Marek