[SOLVED] Custom (First) Broker Login with external IDPs

Hi everyone,

following scenario:

  • We have two external IDPs (one SAML, one OIDC)
  • We get from the IDPs some attributes like mobile-no, token-id
  • We need to map the attributes we receive from the IDPs to existing users
  • No new users are allowed to be created in Keycloak, only a mapping should take place in Keycloak

The problem: With the regular First Broker Login I can not map to custom attributes

The idea: A custom login method will be implemented to

  • Select a user by it’s custom attributes
  • If mapping can not be done, show error, prevent login

How can I implement this logic? Where to start?


I am trying to solve that with a custom Authenticator. So far, so good.
How can I programatically add a IDP Linking in the “authenticate” method in the custom Authenticator? Or how to do that?

Finally solved it with some reverse engineering:

Now I have also access to the identity broker, which solves my issues.

1 Like