Hello
I have a question regarding IdP brokering:
We have added an internal OIDC identity provider to our keycloak instance and would like to restrict the login to brokered users which have specific roles (“RoleA” and “RoleB”) in their “roles” claim. Preferrably we’d like to prevent the import/creation of the brokered users in Keycloak completely on first login if the user is missing the role in the IdP claim.
Current setup:
- IdP is setup and working with “Sync mode: force” and a custom “First login flow” and “Post login flow”
- IdP also has two “Advanced Claim to Role” mappers defined to map the received “roles” claim which contains “RoleA” and “RoleB” to the respective Keycloak roles “Admin” and “User”.
- The custom “First login flow” currently creates the user if it does not exist yet or links it to an exisiting one automatically
- The custom “Post login flow” checks if the user has “Admin” or “User” assigned and will only allow access if the user has one of them.
Situation right now:
When a new user logs-in through the IdP he is automatically imported in Keycloak even if he does not have the correct role but is then prevented to login because of the “Post login flow” checks.
What I tried:
It was not clear to me of the IdP mappers run on the temporary object that flows through the “First login flow” or not. So I first tried duplicating the setup I have in the “Post login flow” to check if the user has one of the roles. This did not work, it appears that the user must already be created for that to work I assume.
Is there a way to inspect the IdP provider claims in the “First login flow” and base conditionals on them? Or is there another approach?
Context:
IdP Mapper:
Post Login Flow:
First Login Flow:
