5

How to disable username/password login for external IDP ?

I know that I can use custom theme to hide http form, but I want to do it properly.

As far as I know I have to create at least custom First Broker Login and Browser authentication flow, right?

After first login from IDP I have to create user in Keycloak, but do not leverage password option.

Also Browser flow must be updated to not show username/password form, right?

Can anyone provide proper example ?

Thanks

MUHAHA
  • 1,597
  • 2
  • 16
  • 25
  • Did you find a solution to this? I had posted a similar question on keycloak mailing list but haven't got any response yet: http://lists.jboss.org/pipermail/keycloak-user/2018-August/015134.html – tryingToLearn Aug 29 '18 at 07:54
  • 4
    Have a look at: https://stackoverflow.com/a/52176780/2458858 – tryingToLearn Sep 05 '18 at 03:52

3 Answers3

0

You can use a custom authentication provider to achieve your goal.

  1. Instruct Keycloak to assign a specific user attribute to all users arriving from the IDP.
  2. Build an authentication provider which checks for that user attribute and denies access.
  3. Add the authentication provider to the Browser login flow.
  4. Optionally adjust templates files to hide login fields and show a user-friendly error if the user fails step 2.

Further details here: https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ

GGGforce
  • 634
  • 1
  • 8
  • 19
0

May not be 100% suitable to this case, but found next one working fine for our case without need to compile and deploy "custom authentication provider". In our app we suppress keycloak login form and offer own custom user / password form, and for IdP integration we are using kc_hint to redirect directly to IdP login page. Once user login via IdP we want to disable user name / password login using password grant. There is a trick allows to achieve this in keycloak v15. You can assign "Update User Locale" to "Required User Actions" of the user, from that moments, direct password grant wont let user to login returning "requires action" validation error, which is not supported in our UI, while IdP login still works and skip this "required action" nor reset it after login. Of course you may need some scheduled curl script allows to set this for users automatically via users REST API : read users attributes or IdP link integration, if found specific Idp related user attribute or IdP integration link, and "requires action" array is empty, set it to "Update Locale".

Of course this all works as long as you hide keycloak login form and use your own. for all using keycloak login form, login using name / password will work and can bypass "Update locale" requirement (not sure why, perhaps because realm does not have locales configured)

John
  • 1
-1

Try this custom Authentication flow

Custom Authentication Flow

By Automatically linking brokered account, the user won't have to set a password. As for the username, it will be automatically imported from the identity provider.

Neil McKeown
  • 443
  • 1
  • 5
  • 17
Kyouma
  • 19
  • 1
  • A link to a solution is welcome, but please ensure your answer is useful without it: [add context around the link](https://meta.stackexchange.com/a/8259) so your fellow users will have some idea what it is and why it’s there, then quote the most relevant part of the page you're linking to in case the target page is unavailable. [Answers that are little more than a link may be deleted](https://stackoverflow.com/help/deleted-answers). – brass monkey Jul 18 '19 at 13:56