Hi, I’m looking into using Keycloak as the SSO solution for our application. I plan to use Keycloak both as an IdP and SP. Most of our users will be migrated to Keycloak, however some users belong to an external organisation with their own SAML2.0 IdP.
I have looked through the documentation and searched the web but have not been able to find a definitive answer.
Here’s the scenario I’m trying to solve.
User navigates to our web application which redirects to the Keycloak Login screen
User enters username and password
This is a user belonging to the external organisation. Can Keycloak be configured to use the IdP redirector to delegate to an external SAML2.0 IdP based on the username/attribute/group/any other distinguishing factor?
Alternatively, can Keycloak’s login process be set up to render two pages instead of one, with the first page requesting the username and the second for the password (like Google)? Obtaining the username first to determine which authentication flow to use.
This is possible, but you’d need to implement a custom Authenticator to execute the logic that determines when to redirect to an external IdP. There are already separate forms you can use for username and password. You’d have to implement the Authenticator to take the provided username and make a determination on whether to continue to the password form, or do an IdP redirect to your SAML IdP. Once you’ve built the custom Authenticator, you can update the Browser flow in the admin in “Authentication”->“Flows”.
Here is the general documentation on the Authenticator SPI: Server Developer Guide
Let us know if you need specific help once you’ve looked at that.
In the log I can see that it follows the same code path as if I were to click on the IdP redirect button on the login page.
However after Keycloak reports the following,
Identity provider [org.keycloak.broker.saml.SAMLIdentityProvider@7d3a4681] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@39eb19ee].
It doesn’t redirect to the IdP but instead goes to LoginActionServices and crashes with a NullPointerException.
2021-04-06 16:42:43,479 WARN [org.keycloak.services] (default task-12) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
at org.keycloak.keycloak-services@12.0.4//org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:492)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:167)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:937)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:315)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:284)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:268)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:343)