Keycloak flow to allow only authorized IDP accounts











up vote
0
down vote

favorite












I would like to setup Google federation using Keycloak however only for authorized users in my company.



Setting up Google federation allows any Google account to login.



I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box




  1. Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.


  2. Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used


  3. A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.



Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.



Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?










share|improve this question


























    up vote
    0
    down vote

    favorite












    I would like to setup Google federation using Keycloak however only for authorized users in my company.



    Setting up Google federation allows any Google account to login.



    I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box




    1. Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.


    2. Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used


    3. A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.



    Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.



    Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I would like to setup Google federation using Keycloak however only for authorized users in my company.



      Setting up Google federation allows any Google account to login.



      I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box




      1. Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.


      2. Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used


      3. A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.



      Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.



      Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?










      share|improve this question













      I would like to setup Google federation using Keycloak however only for authorized users in my company.



      Setting up Google federation allows any Google account to login.



      I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box




      1. Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.


      2. Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used


      3. A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.



      Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.



      Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?







      keycloak idp






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 22 at 16:11









      ByteFlinger

      7291429




      7291429
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          You could implement a custom form action. It's easier than you would expect.



          If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:



          Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.



          Make sure that you select this (new) first broker login in your identity provider configuration.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53434774%2fkeycloak-flow-to-allow-only-authorized-idp-accounts%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            You could implement a custom form action. It's easier than you would expect.



            If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:



            Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.



            Make sure that you select this (new) first broker login in your identity provider configuration.






            share|improve this answer

























              up vote
              0
              down vote













              You could implement a custom form action. It's easier than you would expect.



              If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:



              Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.



              Make sure that you select this (new) first broker login in your identity provider configuration.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                You could implement a custom form action. It's easier than you would expect.



                If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:



                Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.



                Make sure that you select this (new) first broker login in your identity provider configuration.






                share|improve this answer












                You could implement a custom form action. It's easier than you would expect.



                If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:



                Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.



                Make sure that you select this (new) first broker login in your identity provider configuration.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 25 at 19:58









                ChristopherS

                748313




                748313






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53434774%2fkeycloak-flow-to-allow-only-authorized-idp-accounts%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    What visual should I use to simply compare current year value vs last year in Power BI desktop

                    How to ignore python UserWarning in pytest?

                    Alexandru Averescu