IdP post-login flow per client

In my setup some of my clients require a specific Browser Flow with custom authenticators, while for other clients I really want to run the standard Browser login flow.

I can easily achieve this by the client-specific Authentication Flow Overrides.

But now using an IdP I have to create a post-login flow with my customer authenticators for the clients that require it, but if I do that all the clients that require to run the standard flow would also run my authenticators.

In order to fix this it would be great to either allow to specify IdP Post-login overrides at the client level, or that the original Login Flow is continued after the IdP Login.

A similar question was asked
here: authentication - Configure IdP Post Login Flow per-client - Stack Overflow
and here: Run custom authenticator after brokered login in custom flow

Would there be any workaround to achieve this?
(Beside having the IdP post-login flow with conditional step checking which clients should run the steps?)

Thanks for any help


1 Like

I would say that “conditional step checking” is the best option. Maybe I would indicate step requirement via custom scope name - then it can be easily managed via client configuration (it can be assigned as default/optional scope for selected clients).

1 Like

Wait for KC17, then, finally(:pray:), the Step-Up-Authentication feature will be available. With step-up you’ll be able to specify different loa’s (level of authentication) for your various clients.
Everything else is IMHO just a manual workaround with error prone security/authentication/loa.

Keep in mind, that users always authenticate at the realm level, not on a client level. When a user is authenticated at a realm, it basically has access to all clients participating in that realm. At least from a Keycloak point-of-view.

1 Like