Auto-mapping to an Organization based on email domain

[alexanderhofstaetter]

we have the understanding, that when a user logs in, and uses a org-verified domain, that the user is auto-added to the correct org.

Is there such an auto logic? Or do we have to map each user separately?

[xgp]

That feature does not exist. Automatic mapping of Users to an Organization currently happens in two cases:

• The User authenticates with an Identity Provider that is owned by the Organization. This often, but not always, corresponds to a user with the domain that is associated with the Organization.
• The User has an Invitation to the Organization, and logs in and accepts the Invitation.

The feature you are suggesting could be:

• added as a Required Action that would be evaluated every time a User logs in, so that the User could be automatically added to an Organization that is associated with the User's email domain.
• added as an Authenticator that could be placed in an Authentication Flow for evaluation after the User is successfully authenticated.

For both ideas above, it would be necessary to make sure the user has a verified email. It would also be good to allow an admin to specify whether or not the Organization Domain must be verified in order to allow auto-mapping.

Feel free to PR this, as I think it would be a good addition.

[alexanderhofstaetter]

Thanks!

We have the following use case why we are evaluating the use of keycloak-orgs at the moment.

We have a multi-tenant SaaS, where every customer logs in with their Azure AD (Microsoft) tenant as trusted SSO.

Currently in every SaaS environment we add a custom Azure IdP OAuth application in the customer tenant to use federated login.

We want to move to a cloud-based SaaS approach, where we have one keycloak as our Cloud IdP, with an single Microsoft OAuth Application (allows multi tenant), so every organization logs in via their own Microsoft account, but in our tenant.

So every user (of all orgs) use the same Social IdP. We now want to allow login with the same IdP but automap the user based on their email domain to the correct org.

We trust the email domain, as there is no manual way to register, only with the SSO approach.

I am trying on getting some infos of this can be done with a custom JS authenticator - but I currently lack the knowledge on where to add such logic.

Thanks!

[xgp]

I would suggest doing it as a Required Action. There's some good documentation here https://www.keycloak.org/docs/latest/server_development/index.html#required-action-walkthrough

[alexanderhofstaetter]

Thanks for the tip! we implemented it as custom authenticator that matches users to orgs based on email (via IdP SSO) which we use in every auth via a custom post login flow the the IdP.

If somebody is interested in more details or the plugin I am happy to share!

[xgp]

Thanks for the update @alexanderhofstaetter

We do a similar thing in the OrgAddUserAuthenticatorFactory: https://github.com/p2-inc/keycloak-orgs/blob/main/src/main/java/io/phasetwo/service/auth/OrgAddUserAuthenticatorFactory.java

Feel free to PR your addition if you think others would be helped by it.