Conditional redirect to identity provider


I’ve configured keycloak with our users from LDAP and I’ve also configured user federation with a SAML2 identity provider. I’ve manually linked an identity from the identity provider to one of my LDAP users and modified the first broker login flow so automatic account creation is not possible.

This way, the identity brokering only works for accounts that have the account from the identity provider manually linked to an LDAP user.

I would now like to modify the browser flow so the user has to first enter their username and is then either directed to the identity provider, or shown a password field depending on whether the user has a federated identity linked to his/her account or not. Once a federated identity is linked to an account, the user should not be able to login using a username/password but only through the linked federated account.

Is there a condition that is only matched when a user has a federated identity?


If you are building a custom Authenticator to check for this, I believe the UserModel.getFederationLink() method should only return a value if the user has a federated identity linked to the account.


I’m trying to create a custom Authenticator to do a redirect and I’m using your proposed getFederationLink() method. This method returns the id of the storage provider of the user, which in my case is our LDAP user federation.

The attribute(s) I’m actually looking for is the entries from the “Identity Provider Links” in the details of a user to determine to which identity provider I can redirect the user.

When I iterate over the user.getAttributes() I don’t see any user attribute that provides this information?

Is there another way to extract the identity provider links configured for a user?


For that you will have to use the getFederatedIdentity methods in the UserProvider. From the KeycloakSession, it would look something like this:

//if you don't know the provider
session.users().getFederatedIdentitiesStream(user, realm);
//if you know the provider
session.users().getFederatedIdentity(user, socialProvider, realm) 


Thanks for your reply.

In the meantime, I discovered I could obtain this information by using:

RealmModel realm = context.getRealm();
Set identitySet = session.users().getFederatedIdentities(user, realm);

And then check the size of the identitySet and walk it to obtain the correct information.

Should I update my code to do it the way you suggested, or is the above solution also valid?


The method you selected is valid, but be advised it has been deprecated, so it may be removed in future versions of keycloak.

@rtheys hi bro, I just found your discourse, have you solved this problem?
I need the scheme like you faced, can you share the solution by email for me?
it’d help me a lot

cc: @xgp

my email:


We didn’t implement this in the end. Our users can authenticate using either a federated identity or username/password + otp/webauthn.