Using kc_idp_hint to skip default idp with SAML?

I’m trying to use kc_idp_hint to skip the default identity provider for some users as explained here. Concretely, my scenario matches this:

The kc_idp_hint query parameter also allows the client to override the default identity provider if one is configured for the Identity Provider Redirector authenticator. The client can also disable the automatic redirecting by setting the kc_idp_hint query parameter to an empty value.

My client is connected to Keycloak via SAML but the documentation mentions “OIDC applications” and “Authorization Code Flow” so I’m wondering if this is even supported for SAML clients.

My end goal is having Keycloak invisible to users (hence the default idp) unless some users explicitly ask for a different (hence the kc_idp_hint) auth source (e.g ldap).

Is there any alternative?

If others face the same problem, want to clarify that kc_idp_hint also works with SAML.

Here’s what I was doing wrong:
I was assuming that I could avoid the federated idp default redirector by going to the realm account url with an empty kc_idp_hint (like http://kc.example.com/auth/realms/example/account?kc_idp_hint=) but this was not working, it would still redirect to the default federated idp.

The correct place to pass the kc_idp_hint query parameter is in the SAML auth request. The same HTTP request that contains the SAML authentication request. This is pretty obvious now but it wasn’t when I started experimenting with it.

Hi @dipwrk thanks for the information was useful.

Appreciate

Hi @dipwrk, how have you combined the kc_idp_hint parameter in the SAML request? Is it included in the XML? Is it a seperate query parameter?

And is this with the POST or GET binding?

Thanks.

@chris.brandhorst I’m sending it as a query parameter in the HTTP GET request that contains the SAML auth request:
GET {keycloak url}/auth/realms/{realm}/protocol/saml?SAMLRequest={...}&kc_idp_hint={...}

@dipwrk Is it correct that you are building up the SAMLRequest payload here manually or with some external SAML library in your application?

I think I’m pursuing the same or a similar outcome as you: My application has knowledge of the identity provider to be used for a given user and wants to initiate the SAML flow with that specific provider. Keycloak is invisible to the user.

I use onelogin, but that is irrelevant in this case. kc_idp_hint is not part of the SAMLRequest XML, it’s just a query parameter in the HTTP request that includes the SAMLRequest.

1 Like