How to Restrict Identity Providers to Specific Client

Getting advice
1

Hello everyone, I’m using Keycloak 25.0.6 and I would like to know if it’s possible to restrict the display of identity providers to a specific client. I have the following setup: 1 realm and 3 clients (client1, client2, client3), and 2 identity providers (idp1 and idp2). I need the following outcome:

  • Client1 login should display the default Keycloak login and the option to log in via idp1
  • Client2 login should display the default Keycloak login and the option to log in via idp2
  • Client3 login should display only the default Keycloak login

I tried passing the following via query string during the app redirection to Keycloak: kc_idp_hint=idp1 for client1, kc_idp_hint=idp2 for client2, and kc_idp_hint='' for client3. However, all clients are showing both identity provider options.Does anyone know how I can achieve this result?

2

This scenario sounds more like you want to use different realms.
Each realm is one pool of users, clients are “client applications” that grant access to this user pool.

3

I considered this approach, but in my scenario, I might have users accessing more than one client. I want to avoid using multiple realms because, in my case, the number of realms could grow significantly, and I would still need to handle authentication of users from one realm in other realms. In my opinion, this management could become quite complex.

@bpedersen2, do you know if it’s possible to implement this use case the way I explained in the first post ? Or do you have any other idea on how I can achieve this without the downsides of using multiple realms?