Allow specifying a custom Post Login Flow for an organization-linked IdP

[xgp]

By default, we set the postBrokerLoginFlowAlias to post org broker login when an IdP is linked to an Organization. If you have already set a custom value for that flow it will be overriden.

We need a way to allow this to be specified, and for a custom default to be set.

Ideas:

• show all authentication flows in a dropdown in the UI, with a default (or the current value?) selected
• add a realm-level attribute that stores a default attributes->organizationPostLoginFlow

If we do the second one for the default, we should also consider allowing a custom default for syncMode, which we currently override to FORCE

[pnzrr]

• Authentications > Flow API call (shows all flows)
• add a realm-level attribute that stores a default attributes->organizationPostLoginFlow
• syncMode => picks from realm attribute
• default if no changes should be post org broker login

longer term

• method for IDP, postBrokerFlow, syncMode, BE does the linking

[xgp]

New method. Link an existing IdP to an organization

POST /:realm/orgs/:orgId/idps/link

Path Parameters

• realm string required - realm name (not id!)
• orgId string required - organization id

Body

• alias string required - alias of existing IdP
• post_broker_flow string optional - post broker login flow alias, defaults to post org broker login
• sync_mode string optional - sync mode, defaults to FORCE

Example

{
  "alias": "azure-saml-1234",
  "post_broker_flow": "super duper post org broker login",
  "sync_mode": "IMPORT"
}

Responses

• 201 with Location header of org IdP, created successfully
• 409, IdP is already associated

[xgp]

New method implemented here https://github.com/p2-inc/keycloak-orgs/pull/159

[pnzrr]

Code pushed up here: https://github.com/p2-inc/keycloak/commits/23.0.1_orgs_admin_ui/

Getting a 500 error whenever I hit the Link endpoint though. Somethings going on there.

[xgp]

It was how we were updating the IdP. Fixed now.