We have a requirement where we 100% trust a login from IDP, so if we have a disabled user in our keycloak, and they try to login from the IDP we want to enable the user as part of the process.
I have written a custom provider that hooks into the First Login Flow from the IDP and before attempting to link the IDP to Keycloak account we enable the account, and this works perfectly.
My issue arises when the user is already linked to an existing keycloak user, but they are now disabled after a period of inactivity and they try to login from the IDP.
I added the same custom provider to the Post Login Flow at the very top, but I don’t even see any logs to say it has hit that part of the flow yet.
Without seeing your config and custom provider code, it would be very hard to help you debug this. If you can share those, we can probably help.
A few questions:
Why do you need to disable the user in Keycloak?
Is your post login flow bound to the client?
Do you have logging in all the methods of your custom authenticator? Some of the methods stop the rest of the authenticator from running, so you should make sure you’re logging everywhere.
We have security rules that we have to follow, and disabling users is one of them.
Post Login Flow is bound to my Authentication Flow I have setup, but no logging appears to occur, which makes me think it isn’t even reaching that point, and yes I have a log.info statement configured in each method in my custom provider.
I have a workaround which I’m not completely 100% on if I can’t get this to work, and that is when we disable a user, we remove the federation link, as part of the linking process I can enable a disabled user as part of that process.
That doesn’t sound right. You need to explicitly select the flow you have created in the IdP configuration. It’s at the bottom of the IdP configuration page under “Advanced settings”.