Authenticator flow setup with IdpTenantMembershipsCreatingAuthenticator

[santosmken]

I just want to verify the right setup of the sub-flows when using IdpTenantMembershipsCreatingAuthenticator. Should it be added as 1st flow in first broker login or I should create a new one that only using the authenticator? My usecase is to bypass the Review profile flow but I also have to customize the username that will be created in Keycloak without using from the IDP token. Thank you.

[anarsultanov]

Hi @santosmken

In theory, it could be the last step of any flow configuration you need, so you should be able to create a copy of the first broker login, remove unnecessary steps, add any other steps you need, and finally add Create Tenant Membership to the end of the flow.

Obviously I haven't tested every possible combination of authenticators and steps, so please feel free to try it and do not hesitate to reach out if you encounter any issues or if things don't work as expected.

[santosmken]

Hi @anarsultanov, thank you for your quick response. Have you tried copying the first broker login flow with only one sub-flow (create tenant membership)? Because on my end, I'm getting org.keycloak.authentication.AuthenticationFlowException. Btw, I'm using Azure AD and what's weird is that the username is xms_st -> sub claim from the AD token and not the email. Any thoughts on this?

[anarsultanov]

@santosmken, could you provide more details from the logs of AuthenticationFlowException? But it might help to include a Create user if unique step in your flow if you're trying to log in with users not yet existing in Keycloak. For the xms_st -> sub issue, it might be resolved by configuring the NameID policy format in your Identity Provider.

[santosmken]

Adding the Create user if unique as first step of the flow followed by create tenant membership flow works already @anarsultanov. With regards to the NameID policy format is that applicable for openid protocol? Sorry, I'm not that familiar with the policy customization. Thank you and highly appreciate your responses.

[anarsultanov]

Great to hear that adding the Create user if unique step resolved your flow issue, @santosmken! Regarding the NameID policy format, that's applicable for SAML protocol configurations. For OpenID Connect (OIDC), you likely need to map claims received from the IDP to Keycloak user attributes. You can find more details in the Keycloak documentation on mapping claims and assertions.

[santosmken]

I'll check it @anarsultanov. Thanks a lot for your help. Have a good day!