broker chaining and user claims
72 views
Skip to first unread message
Francesco Corbetta
Aug 8, 2023, 5:28:04 AM8/8/23
to keyclo...@googlegroups.com
Hello all
I have a setting where a keycloak instance sits in the middle of
different ipds to allow users to login with different providers.
The different idps can be, or not, keycloak providers.
So imagine this situation
IdP_1 <-> central_IdP <-> IdP_2
If a user exists in IdP_1 and in IdP_2, she can log in in 1 or 2.
Please note that there are also 3,4,5 etc.
I have the requirement of propagating to clients the original IdP
where the user logged in first.
So, for example, a client of IdP_1 should be aware of the fact that
the user logged in IdP_2.
How can I propagate this information?
I tried the following:
- in the central IdP, I added a mapper to the identity provider config
pointing to IdP_2. This is an hardcoded mapper with the value "idp_2"
- in the central IdP, in the client for IdP_1, I added a client
dedicated scope to add the previous hardcoded attribute in the user
profile
But it does not work.
I tried a custom authenticator to set a user session note (something
similar to https://lists.jboss.org/pipermail/keycloak-user/2018-November/016231.html),
but no success so far.
Any hints from the community?
Cheers!
I have a setting where a keycloak instance sits in the middle of
different ipds to allow users to login with different providers.
The different idps can be, or not, keycloak providers.
So imagine this situation
IdP_1 <-> central_IdP <-> IdP_2
If a user exists in IdP_1 and in IdP_2, she can log in in 1 or 2.
Please note that there are also 3,4,5 etc.
I have the requirement of propagating to clients the original IdP
where the user logged in first.
So, for example, a client of IdP_1 should be aware of the fact that
the user logged in IdP_2.
How can I propagate this information?
I tried the following:
- in the central IdP, I added a mapper to the identity provider config
pointing to IdP_2. This is an hardcoded mapper with the value "idp_2"
- in the central IdP, in the client for IdP_1, I added a client
dedicated scope to add the previous hardcoded attribute in the user
profile
But it does not work.
I tried a custom authenticator to set a user session note (something
similar to https://lists.jboss.org/pipermail/keycloak-user/2018-November/016231.html),
but no success so far.
Any hints from the community?
Cheers!
Francesco Corbetta
Sep 30, 2023, 10:22:26 AM9/30/23
to keyclo...@googlegroups.com
Hello
on the client side you have to use a protocol mapper of type "user
session note"
I have the same scenario and it works.
it is documented in
https://www.keycloak.org/docs/latest/server_admin/index.html#available-user-session-data
Il giorno mar 8 ago 2023 alle ore 11:27 Francesco Corbetta
<chi...@gmail.com> ha scritto:
on the client side you have to use a protocol mapper of type "user
session note"
I have the same scenario and it works.
it is documented in
https://www.keycloak.org/docs/latest/server_admin/index.html#available-user-session-data
Il giorno mar 8 ago 2023 alle ore 11:27 Francesco Corbetta
<chi...@gmail.com> ha scritto:
Reply all
Reply to author
Forward
0 new messages