User Creation flow with sso

thomasavio · August 6, 2024, 6:48am

I am using keycloak with google sso enabled.
If a new user tries to login using sso, keycloak is creating a new user and then will complete the login process. Since user is not added to any groups, user will not be able to access anything in th application.

Is there a way we can disable the automatic user creation with sso?

lamoboos223 · August 6, 2024, 9:01am

You mean like when the user logs in the system, keycloak should not create an account for the newly logged in user? But how keycloak will retrieve user data later on if it doesn’t create an account for the user?

@thomasavio

thomasavio · August 6, 2024, 9:15am

I am creating user through another flow with custom username and another custom fields which will be taken from my backend table.
The issue is if I enable sso, user without an account is able to login using sso (He won’t be able to access anything). keyclaok is creating a new user with username as the gmail which is received from sso.
@lamoboos223

lamoboos223 · August 6, 2024, 9:39am

@thomasavio what do you mean by enabling sso? Can you give screenshots?

thomasavio · August 6, 2024, 11:15am

@lamoboos223
With google sso disabled

enabled

if a new user click on sign in with google keycloak is creating a new account.

lamoboos223 · August 6, 2024, 6:13pm

Ok i see it now, ok instead of using the builtin google social login, why don’t create your own google social login so you apply the custom rules on the username?

@thomasavio

thomasavio · August 7, 2024, 3:24am

User creation I will handle via admin api, since I will get the custom fields I need to add only if I add the user to application DB first.
The only thing I need here is if a new user (who don’t an account) tries to login via sso, keycloak should throw an error saying user does not exist instead of creating a user.
@lamoboos223

lamoboos223 · August 7, 2024, 7:10am

So you want anyone who login with google social login to have certain group/role once their account is created in keycloak. Have you thought of mappers in the configuration?

Navigate to the Identity Providers section in Keycloak and select your Google identity provider.
• Go to the “Mappers” tab.
• Create a new Mapper of type “Hardcoded Role” or “Hardcoded Group”.
• Set the role or group you want to assign to the user upon login.

dasniko · August 7, 2024, 7:38am

For this requirement, the Detect existing broker user authenticator step might be your friend:
Detect if there is an existing Keycloak account with same email like identity provider. If no, throw an error.

Create a custom “first broker login” flow where you integrate the above mentioned step properly as desired.

thomasavio · August 7, 2024, 8:42am

@dasniko
When user tries to login via sso

check if a user with same email exist or throw error
if a user with that email exist and identity provider details are not saved, then save that and login the user
if the identity providers details are already saved then login the user

can you please provide a sample to implement this flow.

below is the default flow

Topic		Replies	Views
Prevent registration - also oauth - only existing users Getting advice	0	587	January 12, 2022
IdP users no longer created in 8.0.1 Getting advice	0	425	January 28, 2020
Automatically logging a user in after an (external) account creation? Getting advice	4	1864	May 15, 2024
Disable user creation on Keycloak Getting advice admin-console , authentication , database , identity-brokering	0	948	June 20, 2023
Login without user creation possible? Getting advice	2	376	November 5, 2021

User Creation flow with sso

Related Topics