I am seeking for a solution for quite some while now, and now that I have read a lot about keycloak and about the authentication mechanisms, as well as built some test setups, I have decided to ask here.
My goal is to connect some publicly available applications of my organization to a keycloak instance to allow both my own organization’s users (brokering with Azure AD) and also some customers’ users (brokering with whatever idp they use, or adding these users to keycloak as “local users” if the organization doesn’t have one).
Standard functionality is perfect here, BUT I don’t want customer A to see the button that also customer B is enabled as a idp provider for this keycloak instance. Assume you are from Mercedes and log in at some service provider’s dashboard, the provider doesl probably not want you to see he also has BMW as a customer… (not saying that we have either one of those as customers, just an example).
I know of the possibilities to directly “pass through” to an idp by usage of the kc_idp_hint, but this doesn’t help me really, as in order to to this I would have to have the same service on different domains in order to define different clients with different overrides of the browser flow.
What I WOULD like instead, is instead of the buttons displayed on the login page linking to the upstream IDPs, a field where the user can enter his domain name or his Email address, and based of the domain he gets forwarded to the identity provider matching the domain name. If no match, he gets a “sorry” and that’s it.
Would this be possible and if so, how? Has anybody implemented something like that? I don’t think my use case is so rare… Is the right way to implement such thing just a new template/theme to be developed?
Thanks in advance for any good ideas