Closed santosmken closed 4 months ago
Hi @santosmken
In theory, it could be the last step of any flow configuration you need, so you should be able to create a copy of the first broker login
, remove unnecessary steps, add any other steps you need, and finally add Create Tenant Membership
to the end of the flow.
Obviously I haven't tested every possible combination of authenticators and steps, so please feel free to try it and do not hesitate to reach out if you encounter any issues or if things don't work as expected.
Hi @anarsultanov, thank you for your quick response. Have you tried copying the first broker login flow with only one sub-flow (create tenant membership)? Because on my end, I'm getting org.keycloak.authentication.AuthenticationFlowException
. Btw, I'm using Azure AD and what's weird is that the username is xms_st -> sub
claim from the AD token and not the email. Any thoughts on this?
@santosmken, could you provide more details from the logs of AuthenticationFlowException
? But it might help to include a Create user if unique
step in your flow if you're trying to log in with users not yet existing in Keycloak.
For the xms_st -> sub
issue, it might be resolved by configuring the NameID policy format
in your Identity Provider.
Adding the Create user if unique
as first step of the flow followed by create tenant membership
flow works already @anarsultanov. With regards to the NameID policy format
is that applicable for openid protocol? Sorry, I'm not that familiar with the policy customization. Thank you and highly appreciate your responses.
Great to hear that adding the Create user if unique
step resolved your flow issue, @santosmken!
Regarding the NameID policy format, that's applicable for SAML protocol configurations. For OpenID Connect (OIDC), you likely need to map claims received from the IDP to Keycloak user attributes. You can find more details in the Keycloak documentation on mapping claims and assertions.
I'll check it @anarsultanov. Thanks a lot for your help. Have a good day!
I just want to verify the right setup of the sub-flows when using
IdpTenantMembershipsCreatingAuthenticator
. Should it be added as 1st flow infirst broker login
or I should create a new one that only using the authenticator? My usecase is to bypass the Review profile flow but I also have to customize the username that will be created in Keycloak without using from the IDP token. Thank you.