Disallow username/password access for a group of users

[Mirko Friedenhagen]

Hi everyone,

I am not sure wether it is OK if I ask the same question both in discourse and here, it seems the two are not synced:

• In one realm (A) I configured a LDAP user federation with “real humans” and so called service accounts, the later ones are used for automation purposes (think CI, SonarQube).
• Additionally I configured an (internal SAML) Identity Provider used as broker with the same accounts.
• Now I want humans to use that IdP exclusively for login to Keycloak while service accounts must exclusively login via the username/password form in Keycloak.
• I am able to differentiate real humans from service accounts in LDAP, the later ones having one distinctive LDAP attribute.

I already thought, I could create another realm B in Keycloak restricted to these service accounts without he internal SAML IdP and use realm B as additional IdP broker in realm A. Then I could just disallow *any* form based authentication into Keycloak in A?

Any hints are welcome :slight_smile:

Best Regards
Mirko

[Mirko Friedenhagen]

Sorry, forgot to link discourse :-( https://keycloak.discourse.group/t/disallow-username-password-access-for-a-group-of-users/16976