IdP broking based on email address

I’m trying to understand and figure out if we can use Keycloak for our specific use case.

We are a SP and have multiple clients logging in to our SaaS. Each client has multiple users all sharing the same email domain name. Clients users can be recognized by domain: *, * etc.

I would like to use Keycloak infront of our SaaS and let the user fill out their email (only), and based on email domain redirect to a configured IdP for that domain.

Is that possible? Any other better solution?
Thanks in advance, any help and suggestions are really appreciated!!


It is possible to do this, but it’s not part of the standard Keycloak distribution. You would need to implement a custom Authenticator that will redirect to the IdP based on email domain. There is an example you can build on here: keycloak-extension-playground/auth-dynamic-idp-redirector-extension at master · thomasdarimont/keycloak-extension-playground · GitHub

Please let me know if I can help with this!

1 Like

Wonderful! Thanks a lot, really appreciated. Time to dust off Java coding again… :slight_smile: