Menu
I am managing a Keycloak realm with only a single, fully-trusted external IdP added that is intended to be the default authentication mechanism for users.
I do not want to allow user to register, i.e. I want to manually create a local Keycloak user, and that user should then be allowed to link his external IdP account to the pre-existing Keycloak account, having the email address as common identifier. Users with access to the external IdP but without an existing Keycloak account should not be allowed to connect.
I tried the following First Broker Login settings, but whenever a user tries to login, he gets an error message (code: invalid_user_credentials).
Do you have any idea what my mistake might be?
370
OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use. This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.
Is Keycloak free? Yes, as for now Keycloak is open-source and has Apache License 2.0.
Hover over Select realm, and click Add Realm. Then, enter a name and create the realm. After you create the realm, click Endpoints -> SAML 2.0 Identity Provider Metadata, and save the metadata XML, which is required to configure your service provider.
Open browser and enter the keycloak url. Click on Administration Console. Default username and password is 'admin' , 'admin'.
Looks like they integrated this feature in version 4.5.0.
See automatic account link docs.
Basically you need to create a new flow and add 2 alternative executions:
Create User If Unique
Automatically Link Brokered Account
54
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
