Keycloak

I am managing a Keycloak realm with only a single, fully-trusted external IdP added that is intended to be the default authentication mechanism for users.

I do not want to allow user to register, i.e. I want to manually create a local Keycloak user, and that user should then be allowed to link his external IdP account to the pre-existing Keycloak account, having the email address as common identifier. Users with access to the external IdP but without an existing Keycloak account should not be allowed to connect.

I tried the following First Broker Login settings, but whenever a user tries to login, he gets an error message (code: invalid_user_credentials).

enter image description here

Do you have any idea what my mistake might be?

How do I skip a Keycloak login page?

OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use. This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.

Are Keycloaks free?

Is Keycloak free? Yes, as for now Keycloak is open-source and has Apache License 2.0.

How do I add an identity provider to a Keycloak?

Hover over Select realm, and click Add Realm. Then, enter a name and create the realm. After you create the realm, click Endpoints -> SAML 2.0 Identity Provider Metadata, and save the metadata XML, which is required to configure your service provider.

How does a user login to a Keycloak?

Open browser and enter the keycloak url. Click on Administration Console. Default username and password is 'admin' , 'admin'.

Looks like they integrated this feature in version 4.5.0.

See automatic account link docs.

Basically you need to create a new flow and add 2 alternative executions:

Create User If Unique
Automatically Link Brokered Account

Keycloak - how to allow linking accounts without registration

Tags:

authentication

muffel

People also ask

1 Answers

Thiago Pinto

Recent Activity

Donate For Us