Conditional IdP Redirector or custom username followed by password login screens?

Hi, I’m looking into using Keycloak as the SSO solution for our application. I plan to use Keycloak both as an IdP and SP. Most of our users will be migrated to Keycloak, however some users belong to an external organisation with their own SAML2.0 IdP.

I have looked through the documentation and searched the web but have not been able to find a definitive answer.

Here’s the scenario I’m trying to solve.

  1. User navigates to our web application which redirects to the Keycloak Login screen
  2. User enters username and password
  3. This is a user belonging to the external organisation. Can Keycloak be configured to use the IdP redirector to delegate to an external SAML2.0 IdP based on the username/attribute/group/any other distinguishing factor?

Alternatively, can Keycloak’s login process be set up to render two pages instead of one, with the first page requesting the username and the second for the password (like Google)? Obtaining the username first to determine which authentication flow to use.

Thanks

Taylor.

This is possible, but you’d need to implement a custom Authenticator to execute the logic that determines when to redirect to an external IdP. There are already separate forms you can use for username and password. You’d have to implement the Authenticator to take the provided username and make a determination on whether to continue to the password form, or do an IdP redirect to your SAML IdP. Once you’ve built the custom Authenticator, you can update the Browser flow in the admin in “Authentication”->“Flows”.

Here is the general documentation on the Authenticator SPI: Server Developer Guide
Let us know if you need specific help once you’ve looked at that.

Hi, thank you for your suggestions. I know it’s been a very slow follow-up as I’ve only just started working on this.

I created a custom Authenticator and added it to a copy of the browser flow as the browser flow is immutable.

In the custom Authenticator, I used HttpUrlConnection to create and send the IdP redirect request to the IdP endpoint in Keycloak eg

realms/MyRealm/broker/okta/login?client_id=%s&tab_id=%s&session_code=%s

In the log I can see that it follows the same code path as if I were to click on the IdP redirect button on the login page.

keycloak-login

However after Keycloak reports the following,

Identity provider [org.keycloak.broker.saml.SAMLIdentityProvider@7d3a4681] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@39eb19ee].

It doesn’t redirect to the IdP but instead goes to LoginActionServices and crashes with a NullPointerException.

2021-04-06 16:42:43,479 WARN [org.keycloak.services] (default task-12) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
at org.keycloak.keycloak-services@12.0.4//org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:492)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:167)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:937)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:315)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:284)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:268)
at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:343)

Could you please advise where I am going wrong?

Many thanks!

Taylor