I would like to know if it possible to take control of the username and password form that is firstly presented when login into keycloak. Let me explain better.
Currently I have an Identity Provider with Keycloak that connects with a Palo Alto firewall through SAML. I use the GP client to connect to the VPN, and I get redirected to keycloak. Keycloak presents the username and password form and once the credentials are introduced and validated, I get access to the VPN. Till here, everything is good and working properly.
My question then is, can I take control of this form, do my own credentials validation (against a DB for example) and return ok or not ok as a result of this validation? Maybe I have to create a custom Username and Password form and use it on the Authentication flow?
Any suggestion will be more than wellcome.
Your question is all over the map, unfortunately! Keycloak supports SAML, in the sense that you can make your own login solution that uses Keycloak as a SAML provider to authenticate a user/password pair against, when such credentials are stored in any form with Keycloak.
You can also customize the login form of Keycloak to a great extent using theming and other means.
You can use User federation, including writing your own adapter, to authorize username and password for Keycloak to then provide Oauth2 services.
Depends on what you actually want Keycloak to do for you. Usually it would be best to let Keycloak handle the login. You won’t be able to implement an equally secure login form, including MFA and such things…
I had the time to come back to this, and I was able to implement a second form (username and password) and place it after the first form that is presented by keycloak using the authenticate() method and doing my own validations on action() method. That works great.
After that, if I modify the Authentication flow and delete the first form that is presented by keycloak, letting my custom form in first place. Then my own form is presented as first, but validation returns and ‘invalid username and password’. It seems that Keycloak needs in some way to authenticate the users in his own database through any form (username, password, username and password, etc.).
I´ve tried other few examples that are available on Internet, but all of them also needs to validate users that are stored in Keycloak.
What will be the proper way to avoid storage of users locally in keycloak and validate them with my own form? Also I don´t wan to use User Federation as I want to use more custom forms (or Google OTP) after my first custom form.