Keycloak flow to allow only authorized IDP accounts
up vote
0
down vote
favorite
I would like to setup Google federation using Keycloak however only for authorized users in my company.
Setting up Google federation allows any Google account to login.
I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box
Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.
Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used
A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.
Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.
Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?
keycloak idp
asked Nov 22 at 16:11
ByteFlinger
7291429
add a comment |
up vote
0
down vote
favorite
I would like to setup Google federation using Keycloak however only for authorized users in my company.
Setting up Google federation allows any Google account to login.
I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box
Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.
Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used
A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.
Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.
Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?
keycloak idp
asked Nov 22 at 16:11
ByteFlinger
7291429
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I would like to setup Google federation using Keycloak however only for authorized users in my company.
Setting up Google federation allows any Google account to login.
I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box
Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.
Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used
A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.
Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.
Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?
keycloak idp
asked Nov 22 at 16:11
ByteFlinger
7291429
I would like to setup Google federation using Keycloak however only for authorized users in my company.
Setting up Google federation allows any Google account to login.
I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box
Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.
Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used
A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.
Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.
Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?
keycloak idp
keycloak idp
asked Nov 22 at 16:11
ByteFlinger
7291429
asked Nov 22 at 16:11
ByteFlinger
7291429
asked Nov 22 at 16:11
ByteFlinger
7291429
asked Nov 22 at 16:11
ByteFlinger
7291429
asked Nov 22 at 16:11
ByteFlinger
7291429
7291429
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
You could implement a custom form action. It's easier than you would expect.
If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:
Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.
Make sure that you select this (new) first broker login in your identity provider configuration.
answered Nov 25 at 19:58
ChristopherS
748313
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You could implement a custom form action. It's easier than you would expect.
If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:
Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.
Make sure that you select this (new) first broker login in your identity provider configuration.
answered Nov 25 at 19:58
ChristopherS
748313
add a comment |
up vote
0
down vote
You could implement a custom form action. It's easier than you would expect.
If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:
Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.
Make sure that you select this (new) first broker login in your identity provider configuration.
answered Nov 25 at 19:58
ChristopherS
748313
add a comment |
up vote
0
down vote
up vote
0
down vote
You could implement a custom form action. It's easier than you would expect.
If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:
Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.
Make sure that you select this (new) first broker login in your identity provider configuration.
answered Nov 25 at 19:58
ChristopherS
748313
You could implement a custom form action. It's easier than you would expect.
If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:
Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.
Make sure that you select this (new) first broker login in your identity provider configuration.
answered Nov 25 at 19:58
ChristopherS
748313
answered Nov 25 at 19:58
ChristopherS
748313
answered Nov 25 at 19:58
ChristopherS
748313
answered Nov 25 at 19:58
ChristopherS
748313
748313
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53434774%2fkeycloak-flow-to-allow-only-authorized-idp-accounts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
