Map users with IDPs and Using custom REST API based SPI for authorizing the Users

Hello There,

I am new to KeyCloak and we are evaluating KeyCloak to be used for Identity Brokering.
We are having couple of scenarios where we trying to use Multiple IDPs to authenticate the User.

  1. And the idea is we will ask the domain name from user (email e.g. and bases on the provided domain we would like to auto redirect to IDP login page.
  2. We are planning to integrated organization wide User Management (REST based) Micro Service to authorize the authenticated users. Can we write a custom implementation of SPI to do the same?

I am open for suggestions :slight_smile:



Did you get some solution for this? if so, could you please share the details

There is not a built-in redirector to IdP based on domain. For that, you will need to build a custom authenticator that does the redirection logic. There is a good example of one way to do it here: keycloak-extension-playground/auth-dynamic-idp-redirector-extension at master ยท thomasdarimont/ke

Regarding your second question, can you elaborate more on what you want to use the external service for? To map values to the token? To be used in authorization decisions?