Is there a way to configure authenticator executions to run after the IDP brokering completes?
The only way I have figured out how to do this is to create a custom post-broker-login flow, and set it as the IDP’s post-broker-login flow.
While this is technically possible, it means I have to write all of my custom authenticators in such a way that they are able to run for every login from this IDP.
For example, I have a custom authenticator that I only want to run after brokered logins for a specific client. The current approach I have taken is to make the authenticator client-aware, and perform a no-op if the client in the current authentication session doesn’t match the one this is configured for.
Ideally, I would like to create an entire custom browser flow for this client, but i’m unable get my authenticator to run from that flow, as the IDP redirect takes precedence, and after it completes i’m never brought back to my subsequent required authenticators after the redirect in that flow.
client: configured browser flow to redirect to an IDP
custom authenticator: configured in the IDP’s post-login flow
client: custom browser flow with IDP redirect and custom authenticator
custom authenticator: configured in this flow
Has anyone else had this use case? If so, were you able to implement my desired approach?