Menu
I am using keycloak as an identity broker to SAML identity provider in order to login to web application.
To get it work I have created new authentication flow which looks like: "Create User If Unique", "Automatically Link Brokered Account".
Keycloak redirects correctly to the identity provider with the login page. After login identity provider redirects as expected to keycloak and then to my web application but keycloak also creates local user.
Is it possible to use external IDP without local users creation?
The problem with local users : I have "custom user federation" implementation which fetch users from my application and if local user created it's not possible login to keycloak using "custom user federation". Keycloak will just try login like with local user.
517
Keycloak redirects correctly to the identity provider with the login page. After login identity provider redirects as expected to keycloak and then to my web application but keycloak also creates local user. Is it possible to use external IDP without local users creation?
I am using keycloak as an identity broker to SAML identity provider in order to login to web application. To get it work I have created new authentication flow which looks like: "Create User If Unique", "Automatically Link Brokered Account". Keycloak redirects correctly to the identity provider with the login page.
In the Identity Providers: select “Keycloak-odic”. I have updated the Alias & Display Name as per our use-case. Client Secret: Copy from the Broker client. (Keycloak Internal: 127.0.0.1:8080) That’s all you need. Create a demo user from the user's section in Keycloak Internal (127.0.0.1:8080).
In other words, a researcher from Bar can have these claims in their ID Token from Bar’s IdP, which can be consumed by Foo’s IdP and further by Foo’s service. Keycloak provides a way to import these claims from the Identity Broker. In our case, Foo’s Keycloak should be able to import Bar’s claims, if they exist.
Unfortunately, it is currently not possible to skip the creation of local user account. According to the Keycloak team, they are deferring the support "as we are planning on some larger work to the storage layer which will make it possible to deliver on this capabiltiy". See Feature Request https://issues.jboss.org/browse/KEYCLOAK-4429.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
