Right fit for my B2C usecase?

Hello!

I’m currently evaluating some authn/z and identity mangement plaforms for my project. As I believe to have quite a particular use case, I’m wondering if Keycloak would fit it. It seems to have all the features I need but I’m unsure if they would work the way I would like to set it up or if there’s a recommended way to set it up in a way that would work for me.

Basically, I woud like to:

• Automatically sync my company users (LDAP).
  • Ideally assign them specific roles based on their LDAP group.
  • Force MFA only for these users.
• Allow public users to register accounts and log in.
• Set up custom OIDC providers (I believe it’s possible to extend KC for this?).
• Link/Unlink accounts to third parties (i.e. Microsoft) and allow to login with them or if the user account doesn’t exist yet, do the linking flow on account creation.
• Display some SSO options on specific clients (i.e. One client would show Github as an SSO option while all others wont).

In a nutshell, I want to use it as a B2C + B2B IdP with some ways to automate enrollment for B2B users and specific flows based on roles (automatically given for B2B users).

Any other tips or advice on getting started with Keycloak is also welcome

Thanks!

Yes keycloak will work for all these use cases. For setting up custom OIDC providers you don’t need an extension, i think it works with most providers ootb. For your company users, you can have a specific provider and as people try to sign in it will automatically sync users. I think using custom mappers for each id provider would work and this can be done directly using a realm config json file.

All of your requirements can be solved by using Keycloak, except for this one:

Keycloak itself does not provide such an option (as it would speak against the concept of an SSO, where the user authenticates against the realm, not against a specific client).
A possible “workaround” could be to create a custom theme and code the logic into your theme. But that’s a hacky one…