Conditional redirect to identity provider

rtheys · April 29, 2021, 11:55am

Hi,

I’ve configured keycloak with our users from LDAP and I’ve also configured user federation with a SAML2 identity provider. I’ve manually linked an identity from the identity provider to one of my LDAP users and modified the first broker login flow so automatic account creation is not possible.

This way, the identity brokering only works for accounts that have the account from the identity provider manually linked to an LDAP user.

I would now like to modify the browser flow so the user has to first enter their username and is then either directed to the identity provider, or shown a password field depending on whether the user has a federated identity linked to his/her account or not. Once a federated identity is linked to an account, the user should not be able to login using a username/password but only through the linked federated account.

Is there a condition that is only matched when a user has a federated identity?

Regards,
Rik

xgp · April 29, 2021, 12:55pm

If you are building a custom Authenticator to check for this, I believe the UserModel.getFederationLink() method should only return a value if the user has a federated identity linked to the account.

rtheys · May 6, 2021, 9:19am

Hi,

I’m trying to create a custom Authenticator to do a redirect and I’m using your proposed getFederationLink() method. This method returns the id of the storage provider of the user, which in my case is our LDAP user federation.

The attribute(s) I’m actually looking for is the entries from the “Identity Provider Links” in the details of a user to determine to which identity provider I can redirect the user.

When I iterate over the user.getAttributes() I don’t see any user attribute that provides this information?

Is there another way to extract the identity provider links configured for a user?

Regards,
Rik

xgp · May 6, 2021, 12:17pm

For that you will have to use the getFederatedIdentity methods in the UserProvider. From the KeycloakSession, it would look something like this:

//if you don't know the provider
session.users().getFederatedIdentitiesStream(user, realm);
//if you know the provider
session.users().getFederatedIdentity(user, socialProvider, realm)

rtheys · May 6, 2021, 4:42pm

Hi,

Thanks for your reply.

In the meantime, I discovered I could obtain this information by using:

RealmModel realm = context.getRealm();
Set identitySet = session.users().getFederatedIdentities(user, realm);

And then check the size of the identitySet and walk it to obtain the correct information.

Should I update my code to do it the way you suggested, or is the above solution also valid?

Regards,
Rik

xgp · May 6, 2021, 4:57pm

The method you selected is valid, but be advised it has been deprecated, so it may be removed in future versions of keycloak.

rizaldiqbal · March 13, 2024, 3:04am

@rtheys hi bro, I just found your discourse, have you solved this problem?
I need the scheme like you faced, can you share the solution by email for me?
it’d help me a lot

cc: @xgp

my email: iqbalrizaldi818@gmail.com

rtheys · March 13, 2024, 7:29am

Hi,

We didn’t implement this in the end. Our users can authenticate using either a federated identity or username/password + otp/webauthn.

Rik

Topic		Replies	Views
Identity Provider for Provisioned Accounts Getting advice	0	482	January 14, 2020
Automatic Identity provider resolution for the user at login Configuring the server	4	1573	June 3, 2022
Browser Flow and Identity providers Getting advice	0	615	August 4, 2020
Account linking with Keycloak Getting advice authentication , oidc	1	4645	December 23, 2019
Using ID Provider and User Federation in one realm Getting advice ldap , oidc	0	508	March 2, 2023

Conditional redirect to identity provider

Related Topics