How to pre-select IDP for applications

[ShellyXueHan]

Background:

I have multiple Identity Providers (IDP) enabled in my realm. But one of my application is design to only use one of the IDP. Do I need a separate realm for that?

Solution:

No, do not request for a separate realm in this case. Here are two ways to achieve it.

Option 1:

Use IDP hint to get your app to pre-select the idp. To do so, include kc_idp_hint=xxx in the auth url. For example: https://{KC_URL}/realms/{REALM}/protocol/openid-connect/auth?...&kc_idp_hint=github

However, if your application does not support this customization. Try Option 2.

Option 2:

Override Authentication Flow for the app's keycloak client.

• create a copy of the Browser Flow with Identity Provider Redirector enabled and configured with the target IDP.
• in the application's client, go to Authentication Flow Overrides and select the new auth flow.

[jefkel]

To add to this - The IDP Hint only helps with bypassing the "choose your IDP" screen, and does NOT enforce any particular role/group/authorization for a client/service. Since your realm has multiple IDPs, you may be faced with a situation where a user is already logged into your realm and does not follow the login flow (or the Hint).

Some possible flows when using a single realm for more than 1 application:
Realm MyRealm
Application A - uses GitHub & IDIR IDPs for authentication. (no IDP hints) (configured as client A in MyRealm)
Application B - uses IDIR IDP for authentication. (uses IDP hints) (configured as client B in MyRealm)

possible error flow:
1 - User logs into Application A (using Github IDP - valid MyRealm token granted)
2 - User opens new Tab, and loads application B

• User is challenged for MyRealm token, provides token from step 1.
• User has access to Application B (via github IDP)

Alternative possible error flow (with Application B using a separate Authentication Flow):
1 - User logs into Application A (using github IDP - valid MyRealm token granted)
2 - User opens new tab and loads application B

• user is redirected to log in with new authentication flow (forcing auth with IDIR - new MyRealm token granted)
• user changes back to Application A, and presents MyRealm token when prompted. (the new one)
• user could be accessing Application A as a new identity

Both of the above error flows are possible because of the assumption that Authentication grants Authorization. In both of the above cases, that assumption can be tested false. For your application designs, make sure to test that assumption.

Some things to think about when multiple clients are leveraging the same realm.

• Users are logging into a Realm (not a client application), the user ends up with a token for a Realm Identity.
• Applications with authorization requirements (ie: restricted to an IDP) should have those authorization roles managed separated than their authentication. (ie: roles/groups/etc)
• Do your users use all applications in your Realm?
• If your users need to change realm identities between your client applications, how are you accommodating this?

More ideas? options? separation of auth/auth tricks and tips (ie: separation of Authentication and Authorization)

[zsamji]

closing as it is captured bcgov/sso-keycloak#71