Set default identity provider using the command line (kcadm)

Hello,

I’m trying to automate setting the default Identity Provider, and so I’m trying to do it on the command line.
I’ve been able to set this in the “Identity Provider Redirector” step of the “Browser” flow in the administrative interface, but I’m having issues doing it in the command line, because I simply cannot find the parameter:

./kcadm.sh get authentication/flows/browser/executions -r realm
[ {
  "id" : "e085f078-243d-4e07-bca6-2e15c99058f5",
  "requirement" : "ALTERNATIVE",
  "displayName" : "Cookie",
  "requirementChoices" : [ "REQUIRED", "ALTERNATIVE", "DISABLED" ],
  "configurable" : false,
  "providerId" : "auth-cookie",
  "level" : 0,
  "index" : 0,
  "priority" : 10
}, {
  "id" : "601babc4-dc10-4680-9781-d9c1663eaf7e",
  "requirement" : "DISABLED",
  "displayName" : "Kerberos",
  "requirementChoices" : [ "REQUIRED", "ALTERNATIVE", "DISABLED" ],
  "configurable" : false,
  "providerId" : "auth-spnego",
  "level" : 0,
  "index" : 1,
  "priority" : 20
},
{
  "id" : "d44a5db4-1b1c-4d44-9fdc-df41d34d128f",
  "requirement" : "ALTERNATIVE",
  "displayName" : "Identity Provider Redirector",
  "alias" : "google",
  "requirementChoices" : [ "REQUIRED", "ALTERNATIVE", "DISABLED" ],
  "configurable" : true,
  "providerId" : "identity-provider-redirector",
  "authenticationConfig" : "0675aaee-ffdb-4dcb-9c0c-d074ad0e94dd",
  "level" : 0,
  "index" : 2,
  "priority" : 25
}
[...]

As you can see, the third step is “Identity Provider Redirector”. The alias is set to “google”, but I’ve no idea where I’m supposed to set the default provider. Maybe this isn’t actually the right place to change this and I should be doing it in the identity provider?

I’m not seeing anything relevant using kcadm.sh get identity-provider/instances/google though.

Any hints would help :slight_smile:

The help I’ve been getting on this forum has been unbelievable, so I thought I’d give back by providing the solution that I’ve eventually found, partially with the help of chatGPT.

After creating the identity provider and the mapper (which isn’t really relevant here, but maybe someone needs it):

/opt/keycloak/bin/kcadm.sh create identity-provider/instances -r my_realm -s alias=google -s providerId=google -s enabled=true -s 'config.useJwksUrl="true"' -s config.clientId=${google_client_id} -s config.clientSecret=${google_secret_id}

/opt/keycloak/bin/kcadm.sh create identity-provider/instances/google/mappers -r my_realm \
    -s name="user remove domain part" \
    -s identityProviderAlias=google \
    -s identityProviderMapper=oidc-username-idp-mapper \
    -s config.syncMode=IMPORT \
    -s config.template='${CLAIM.given_name}.${CLAIM.family_name}' \
    -s config.target=LOCAL

I retrieved the identity provider redirector step from the “browser” flow, then I created a json file with the data that I needed to change and then I created the step (execution) config:

basic_client_scope_id=$(/opt/keycloak/bin/kcadm.sh get client-scopes -r my_realm | jq -r '.[] | select(.name == "basic") | .id')

cat << 'EOF' > default_identity_provider_google.json
{
    "alias": "google",
    "config": {
        "defaultProvider": "google"
    }
}
EOF

/opt/keycloak/bin/kcadm.sh create "authentication/executions/${identity_provider_redirector_id}/config" -r my_realm -f default_identity_provider_google.json

It works also without a json and only with cli parameters:

/opt/keycloak/bin/kcadm.sh create "authentication/executions/${identity_provider_redirector_id}/config" -s alias=google -s 'config."defaultProvider"=google' -r my_realm
1 Like