We’ve been looking at Keycloak for replacing our in-house SSO implementation. One feature in the in-house implementation is the ability to configure allowed Identity Providers for each client. Ie. depending on the client the user is shown different set of login providers. This is mostly used to require using our AD accounts for administration interfaces in applications. Public applications make use the of big public providers (Google, Facebook) and some others depending on the application.
It seems that the only way to do this would be to set up different realms. This won’t work as the most services should share same user identifiers. Also it would be somewhat cumbersome to keep track of the different endpoints.
So I think my question is: is there a way to configure a different set of login providers per client within one realm?
Is your Identity Providers are OIDC applications?
OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use. This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.
Please check this link https://www.keycloak.org/docs/6.0/server_admin/ and search for kc_idp_hint for more details. Not sure whether this will help you.
Another option is to set up "ALTERNATE"s for your client inside the realm. If they have an NTLM bearer token in their request, then automatically use that. If they do not have an NTLM Bearer token you would offer the other options.
If you prefer to use Kerberos, you might look into the Kerberos bridge as an ALTERNATE: https://www.keycloak.org/docs/latest/server_admin/#_kerberos
Thanks for the responses. To clarify the situation: currently we show both the AD login and several other options in the login screen. I don’t think we can know beforehand if the user could login through AD, as we interface with AD through ADFS implementing OAuth2 (and soon it will be Azure AD and OIDC). For one client we have two different ADs(/ADFSs), with the separate buttons on the choice screen. And even then, there might be edge cases where the user would need to use another login method, although they have an active AD login.
But @InfoSec812 mentioned using ALTERNATEs within flow. I haven’t quite figured out what is possible using the flows in Keycloak. Would it be somehow possible to change to providers offered on the login screen? It looks like there is only single fixed “Username Password Form”, but perhaps I’m missing something.
@vikoivun I am not sure about “changing” the listed providers. I know that it’s possible to attempt to use one alternative automatically (based on the content of the auth request) and if that fails THEN show the login screen.