allow IDP broker for some clients only
342 views
Skip to first unread message
Ionel GARDAIS
Jan 23, 2023, 8:36:21 AM1/23/23
to keycloak-user
Hi,
I'm trying to enable IDP brokers for some but not all clients is the same realm.
I tried to clone the configured browser auth flow and :
- disabled the Identity Provider Redirector
- deleted the Identity Provider Redirector
I made this flow the default browser flow and assign a flow with IDP Redirector enabled as an alternative to specific clients.
However, the button to log through brokers is still displayed for clients using the browser flow without IDP Redirector.
What did I miss ?
How could I achieve the desired goal ?
Thanks,
Ionel
Łukasz Dywicki
Jan 23, 2023, 4:32:41 PM1/23/23
to keyclo...@googlegroups.com
Its entirely doable, fine access control will require a custom
authenticator. The redirector authenticator reacts for kc_idp_hint
parameter, hence it does not affect login screen. These two elements are
separate and can not be merged without further customization (you have
to modify login form provider).
First - you need to configure your identity providers to not display
them on login page.
Second - your clients should be sending kc_idp_hint to authorization
endpoint forcing user to be redirected instead of seeing login form.
Removal of redirector from flow amends kc_idp_hint behavio, but does not
block use of identity broker functionality in keycloak. You may still
set some of identity providers to "linking only", effectively blocking
login through them.
Please also note that once user SSO session is created he can simply
enter other clients and launch these client sessions based on
authentication information from identity provider.
Best,
Łukasz
--
http://code-house.org
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/7247120.679838.1674480975578.JavaMail.zimbra%40tech-advantage.com <https://groups.google.com/d/msgid/keycloak-user/7247120.679838.1674480975578.JavaMail.zimbra%40tech-advantage.com?utm_medium=email&utm_source=footer>.
authenticator. The redirector authenticator reacts for kc_idp_hint
parameter, hence it does not affect login screen. These two elements are
separate and can not be merged without further customization (you have
to modify login form provider).
First - you need to configure your identity providers to not display
them on login page.
Second - your clients should be sending kc_idp_hint to authorization
endpoint forcing user to be redirected instead of seeing login form.
Removal of redirector from flow amends kc_idp_hint behavio, but does not
block use of identity broker functionality in keycloak. You may still
set some of identity providers to "linking only", effectively blocking
login through them.
Please also note that once user SSO session is created he can simply
enter other clients and launch these client sessions based on
authentication information from identity provider.
Best,
Łukasz
--
http://code-house.org
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/7247120.679838.1674480975578.JavaMail.zimbra%40tech-advantage.com <https://groups.google.com/d/msgid/keycloak-user/7247120.679838.1674480975578.JavaMail.zimbra%40tech-advantage.com?utm_medium=email&utm_source=footer>.
Ionel GARDAIS
Jan 24, 2023, 2:34:31 AM1/24/23
to Łukasz Dywicki, keycloak-user
Hi Lukas,
Thanks for your feedback.
I ended with a hidden identity provider and an IDP-initiated login that passes kc_idp_hint.
Works as expected.
--
Ionel GARDAIS
----- Mail original -----
De: "Łukasz Dywicki" <lu...@code-house.org>
À: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Lundi 23 Janvier 2023 22:32:32
Objet: [*EXT*] Re: [keycloak-user] allow IDP broker for some clients only
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/1f1bd449-e3fc-43ea-1141-b2309358542d%40code-house.org.
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Thanks for your feedback.
I ended with a hidden identity provider and an IDP-initiated login that passes kc_idp_hint.
Works as expected.
--
Ionel GARDAIS
----- Mail original -----
De: "Łukasz Dywicki" <lu...@code-house.org>
À: "keycloak-user" <keyclo...@googlegroups.com>
Envoyé: Lundi 23 Janvier 2023 22:32:32
Objet: [*EXT*] Re: [keycloak-user] allow IDP broker for some clients only
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/1f1bd449-e3fc-43ea-1141-b2309358542d%40code-house.org.
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Reply all
Reply to author
Forward
0 new messages