Custom authenticator with new form

We have an IdP, which transfers the organization of a user per claim. Since some users belong to multiple organizations the claim is multivalued. Since our clients only support working in one organization scope per session, we tried to add a custom form where the user could pick the organization he wants to work in from a dropdown. If the user wants to switch organization, he would have to logout and login again, which is sufficient in our scenario.

Unfortunately we weren’t able to find an extension point for this requirement in Keycloak. We tried to write a custom Authenticator implementation to be used as Post Login Flow. But it looks like the LoginFormsProvider interface and Tempaltes class only support the build-in set of forms.

Is there any other way to solve our problem?

You can go to a custom .ftl page in an authenticator with the following:


where context is the AuthenticationFlowContext in the action or authenticate method.