Automatic Identity provider resolution for the user at login

Configuring the server
1

Hello,
I have configured multiple identity providers in keycloak. These are listed for the user on login page and user has to choose one of them and then redirected to selected one.

I would like to avoid user to select the identity provider and automatically redirect him to one with some logic. For example have only single IDP for each user, and ask user for username/email first, then redirect user to the IDP he has assigned. Or have custom IDP resolution service which keycloak request for valid identity providers that user can use.

Is something like this possible with keycloak? Or do I have to introduce independent layer before the keycloak to do this resolution?

Thanks

1 Like
2

Hello!
I have the same requirement to setup multiple identity providers and avoid showing the link for each IDP. We will have multiple for all customers that need to login to our managed services. The services are not “home built” but rather different services we use for customer management(Chat service, Ticketing service, etc.) and they support OpenID/SAML.

I am quite new to Keycloak to RTFM is needed on my end, but this is one of the main requirements I would need to solve also. From documentation I found this:
https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_overview

"Variations of this flow are possible. For example, the client application can request a specific identity provider rather than displaying a list of them, or you can set Keycloak to force users to provide additional information before federating their identity."

This is they way I would like to do it.

  1. User provides the username/email
  2. User is automatically redirected to their IDP OR user is presented with a form that asks for the customer organisation name.
  3. The user is then redirected to their IDP based on either email or the organisation provided.

I have read about the “kc_idp_hint” method but this would require the Client to pass this along to Keycloak and this is not possible.

Any updates on this would be appreciated or if anyone has pointers to what to read up on? Flows? Other configurations needed to accomplish this?

Regards,
Kim

3

There is a great extension that does most of what you’re asking for.

1 Like
4

Great! Thanks will try that out!

Do I need an extension(even though its not that hard to install) to do this kind of functionality in Keycloak?

Can it not be done by creating a custom flow? Or is the “key” in that this extension adds possibility to check the domain of the user vs IDP home.idp.discovery.domains, and this is not possible without the extension?

Just curious, you already pointed to the keycloak-home-idp-discovery extension but just trying to figure out Keycloak…

-Kim

5

I can’t think of a way to do it with just a custom flow.