Automatic IdP login / redirection

[Chris Boot]

Hi all,

I have a Keycloak realm with a mixture of users that are either
federated from an LDAP directory or which have a linked OIDC or SAML
identity provider. There is one LDAP directory but there could be
multiple IdPs, though users are expected to have only one link to either
LDAP or one OIDC / SAML IdP.

I'd like to configure Keycloak such that the login form only asks for an
email address. If the user exists and has a linked IdP it should
redirect immediately to the IdP, otherwise Keycloak should continue with
the password (+ optional TOTP or Webauthn) login as it would normally.

Can this be achieved with "stock" Keycloak? If not, are there existing
plugins to achieve this functionality?

Thanks,
Chris

--
Chris Boot
bo...@boo.tc

[SadaShiv Dash]

Hi Chris,

I may think that you’re seeking similar ideas about discovery.

Please consider this https://github.com/sventorben/keycloak-home-idp-discovery

Regards

SadaShiv Dash

On 1 Aug 2025, at 7:40 PM, Chris Boot <li...@bootc.boo.tc> wrote:

Hi all,

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/a1a6b985-dd1d-4e07-b5ba-053ebcbcfbc7%40bootc.boo.tc.

[Martin Besozzi]

Hi Chris,

In the identify-first scenario, you can try the out-of-the-box organization feature [1] / [2] or use the custom extension keycloak-home-idp-discovery [3] by sventorben, which helps address that requirement.

[1] https://www.keycloak.org/docs/latest/server_admin/index.html#_managing_organizations 

[2] https://www.keycloak.org/2024/06/announcement-keycloak-organizations

[3] https://github.com/sventorben/keycloak-home-idp-discovery/