IdP broking based on email address

I’m trying to understand and figure out if we can use Keycloak for our specific use case.

We are a SP and have multiple clients logging in to our SaaS. Each client has multiple users all sharing the same email domain name. Clients users can be recognized by domain: *.domain.com, *.domain1.com etc.

I would like to use Keycloak infront of our SaaS and let the user fill out their email (only), and based on email domain redirect to a configured IdP for that domain.

Is that possible? Any other better solution?
Thanks in advance, any help and suggestions are really appreciated!!

//Mattias

It is possible to do this, but it’s not part of the standard Keycloak distribution. You would need to implement a custom Authenticator that will redirect to the IdP based on email domain. There is an example you can build on here: keycloak-extension-playground/auth-dynamic-idp-redirector-extension at master · thomasdarimont/keycloak-extension-playground · GitHub

Please let me know if I can help with this!

1 Like

Wonderful! Thanks a lot, really appreciated. Time to dust off Java coding again… :slight_smile: