User is redirected to the Keycloak idP and a form with username and password is presented
User fills another time his email, and he fills the password
User is redirected to Gmail as authenticated user. It’s working.
How can I change in Keycloak the “Username Password Form” in the “Browser” authentication flow by a “Password Form”?
I’ve duplicated the “Browser” flow to “Browser Google”, replacing the “Username Password Form” by “Password Form” and in the advanced client settings I have overridden the “Browser Flow” with the new one. Now when the user is redirected to Keycloak a " We are sorry… Invalid Request" message is obtained. Now it’s broken.
I think some steps are missing for me… may be in some place I should map fields or a different “Password Form” should be used.
The password form just checks the password, and requires a known user in the session. If you want Google to send the email, you have to configure it to add the login_hint parameter. Then, Keycloak will auto-fill the email in the username/password form.
No way has been found in order to avoid users re-type his email when the Google “SAML SSO with third-party IdP” is configured. Google as SP and KeeCloak as IdP.
I think the login_hint workaround proposed is for ConnectID and is not supported in SAML Auth requests. I tried adding this param on the “Sign-in page URL” on Google but Keecloak doesn’t populate the email on the username password form. Even if it was worked it’s not possible to inform in Google the “Sign-in page URL” with some param to parse the email that is trying to log on.
I suppose Google should include in his SAML request some SAML2 extension filling the username, maybe in the saml2:Subject , but I’m not sure.
I think the only way is proposing the feature to Google in Home - Google Cloud Community but I’m not an expert in SAML2 and I don’t know if the protocol or KeeCloak support this.
If somebody has any suggestion in the future it will be welcome.
At the moment my users will need to type their email twice but this is not a good user experience.