Replace "Username Password Form" for "Password Form" when Keycloak as idP for GoogleWorkspace

Getting advice
1

Hi, I’m newbie with Keycloak 25.0.1.

I’ve followed the steps in Keycloak single sign-on  |  Cloud Architecture Center  |  Google Cloud in order to test Keycloak as idP for some users in one of my Google “Organizational units”.

Everything is working as follows:

  • User browse to https://mail.google.com
  • In Google, user fills his email
  • User is redirected to the Keycloak idP and a form with username and password is presented
  • User fills another time his email, and he fills the password
  • User is redirected to Gmail as authenticated user. It’s working.

How can I change in Keycloak the “Username Password Form” in the “Browser” authentication flow by a “Password Form”?

I’ve duplicated the “Browser” flow to “Browser Google”, replacing the “Username Password Form” by “Password Form” and in the advanced client settings I have overridden the “Browser Flow” with the new one. Now when the user is redirected to Keycloak a " We are sorry… Invalid Request" message is obtained. Now it’s broken.

I think some steps are missing for me… may be in some place I should map fields or a different “Password Form” should be used.

Please, some help will be appreciated.

2

The password form just checks the password, and requires a known user in the session. If you want Google to send the email, you have to configure it to add the login_hint parameter. Then, Keycloak will auto-fill the email in the username/password form.

1 Like
3

@xgp , thank you by your answer. I’ve been investigating about “login_hint” parameter but I don’t find how to config this.

In “Google Admin”, configuring “SSO with third-parti idP” I don’t see nothing related with “login_hint”.

“login_hint” is something I should to set in my KeyCloak?

4

Google has to pass it. If they don’t support it, it won’t work.

5

Thank you.

No way has been found in order to avoid users re-type his email when the Google “SAML SSO with third-party IdP” is configured. Google as SP and KeeCloak as IdP.

I think the login_hint workaround proposed is for ConnectID and is not supported in SAML Auth requests. I tried adding this param on the “Sign-in page URL” on Google but Keecloak doesn’t populate the email on the username password form. Even if it was worked it’s not possible to inform in Google the “Sign-in page URL” with some param to parse the email that is trying to log on.

I suppose Google should include in his SAML request some SAML2 extension filling the username, maybe in the saml2:Subject , but I’m not sure.

I think the only way is proposing the feature to Google in Home - Google Cloud Community but I’m not an expert in SAML2 and I don’t know if the protocol or KeeCloak support this.

If somebody has any suggestion in the future it will be welcome.

At the moment my users will need to type their email twice but this is not a good user experience.

Thank you.