I have an Agency with internal users in LDAP for Identity/Attributes and a single IDP.
But this will need to expand to support multiple external Partner IDPs or Public such as login[.]gov via JIT provisioning.
All the account associations need to utilize Issuer + Subject mapping to ensure there’s no subject collisions or ability to impersonate between IDPs (i.e., User with myemail[@]gmail[.]com from login[.]gov could not be associated with myemail[@]gmail[.]com from Partner).
What I really need is a way to say “Internal Synced Users” can only authenticate with Agency IDP.
Each Partner or Public IDP creates a unique account bound via Issuer+Subject while maintaining the proper preferred_username in claims to apps so they can get something like: OriginalIDP-Alias, OriginalIDP-Preferred-Username during re-auth events to flow up to the right IDP with login_hint.
I was hoping to avoid having to create a realm for every partner in this case, and maybe have 2x at most - My Agency and EveryoneElse or something.
Closest I have gotten was using the scoped Usernames with the ${ALIAS}.${CLAIM.id} concept, but didn’t have a way to strip the prefix on outbound preferred_username.
Any advice or if someone has done similar what worked well for your setup?
Considerations
-
Email is not considered unique in this environment but may be the “username” preferred by external IDP.
-
Email does not determine Organization (Partner) association, the IDP you log in with does and I may share email address across IDPs.
-
Usernames need to be uniquely scoped to issuers and accessible to applications preferred_username so on re-auth we can flow that from app → keycloak → IDP login_hint.
-
There’s currently 1x Broker Realm to manage users and sub-realms for applications that log in via the broker realm.
Internal users synced via LDAP directory but don’t have “credentials” like passwords that can be used there. For us it’s really just for attribute management and mapping groups/roles, then with a single IDP trusted it’s no problem to just map across the Immutable ID for each Identity to automatically link accounts during log in.
^ Everything is just fine with the single Agency IDP with this setup. Users sync in from LDAP with roles, on first log in they are automatically associated with the Agency IDP based on the Immutable ID (broker id), username is our unique usernames, happy users, happy apps.
Stuff tried
- Organizations. But this relies on unique email domains to IDP mappings, this doesn’t work due to association being the Issuer (IDP) not the email domain.
E.g., I could have a login[.]gov user with myuser[@]company.com and also a Partner Company IDP with user myuser[@]company.com. The association is the IDP, not the email domain. When logging in through login[.]gov they are “Public” with public/guest roles and when logging in through “Company”, then partner roles.
-
The built in “Detect existing user” appears to fall down through to email and could allow impersonation when attempting to auto-link.
-
Using scoped usernames with “create user if unique” or “automatically set user” if they aren’t to automatically link things. The scoped usernames appear to work but then preferred_username gets dorked unless all apps can handle a prefix/suffix added - or it can be stripped somewhere in outbound claims rule (custom plugin with regex maybe).
This one seemed to get closest to desired results. So each Username would use like the ${ALIAS}.${CLAIM.id} concept to ensure no impersonations between IDPs.
Is this just the right way to go here?