Mix federated users and non federated users?

[Arnold Obdeijn]

Hi, I have a question regarding user federation with Keycloak. I have created a realm, set up user federation with an Active Directory instance through ldaps and imported the users.

In the same realm I have created a user by hand (not federated) and now I have tried to set UpdatePassword as a required action for the user, but the option doesn't appear. I have also tried to set UpdatePassword as a reset action, on the credentials tab, but there the option doesn't appear either.

Is this the expected behaviour? Should I avoid mixing federated and local users in one realm? I can't find much documentation on this. Any help is much appreciated. I am running Keycloak 11.0.2

Cheers,

Arnold

[Lars Van Casteren]

Hi, mixing users is not a problem.The imported users are basically also local objects but password verification happens not on KC (as it does for local users) but against AD. We're running KC with a mix of local KC users, several IdP trust users and federated users from AD, federated users are authenticated via either username/password (AD) or through the IdP trust setup with AzureAD/SAML, in the last case KC adds AzureAD SAML as an identity provider link for the (federated) user object.

Did you enable Update Passwd on the Authentication - Required Actions and also selected Reset Credentials flow in the Authentication - Bindings tab? I'm not sure but I think whenever you force a federated user to reset password they will get an error when applying, from within the account page I think federated users get a warning they can't change password. 

[Arnold Obdeijn]

Hi Lars,

Thanks for your help! Good to know that mixing is not a problem. I had to enable Update Password on the Authentication - Required Actions tab and now it works.

Would be nice if federated users could get an informative message whenever they try to update their password, to avoid confusion. Right now, when I go to the login screen of an application as a federated user and hit the forgot password link, I get an email with an update password link and when I follow that I get logged into the application, which is not really what I would expect as a user.

Still struggling a bit with the question how to give my users a good user experience.

Op maandag 22 maart 2021 om 10:39:16 UTC+1 schreef larsvan...@gmail.com:

[Lars Van Casteren]

Good it works!  I'm in the same boat with regard to federated users clicking on the password reset link and opening a can of helpdesk tickets.

We've changed the password reset template to include a warning informing password reset is only applicable to non federated/non AzureAD users but not every user is as tech savvy to understand it no matter how clear we try to make the message. I thought about intercepting the password reset page with a message when it's a federated user etc but that potentially leaves the reset option open to username harvesting. The only "tech un-savvy proof" solution I can think of would be to change the email content when it's a federated/azureAD user and not include a password link but a message informing them they should consult their own ICT department for the correct password reset procedure. But doing that will require some amount of development so we settled for the message on the reset page.

You say you are directly logged in? Lucky you, companies pay good money for SSO ;) 

Doesn't that mean you still have an access cookie that gets you passed the authentication screen hence not getting to the actual password reset page?

[Thomas Darimont]

Hello Lars,

> We've changed the password reset template to include a warning informing password reset is only applicable to non federated/non AzureAD users but not every user is as tech savvy to understand it no matter how clear we try to make the message.

You could also adjust the reset-credentials flow by adding a custom authenticator, which checks if the given user is federated via AD / AzureAD, and if this is the case redirect those users to another page that shows the info message, without performing the password reset.

Cheers,

Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/a0f100c0-9422-4eaf-a088-713c790d5bbfn%40googlegroups.com.