How to ensure only users part of an organization can login ?

[kedare]

Hello.

I was doing some tests by integrating some generics identity provider (let's say github) and setting it as IDP for an organization.

I was expecting the authentication to fail as the mail would not match the domain from the organization but I could successfully login, it would not login with the user of the org (let's say user@example.com) but would create a new user user@example.org instead, not part of any organization)

• Is there a way to prevent any non existing user from being created ? I have User registration set to off so I would not expect any user from being created automatically.
• Is there something I can add on the authentication flow to prevent any login from user that are not already part of an organization ?

Also as it looks like the social IDP integrations are singleton, it is usually okay to have a single Github integration for all the organizations ?

Thanks

[xgp]

Using "social login providers" for organizations wasn't really an intended use case. Our expectation is that generic SAML or OIDC are used to connect to organization-owned IdPs that are the source of truth for who is and who is not a member of an organization. That way, we don't do filtering after the identity brokering on email domain, as we assume that the IdP controls access.

I have User registration set to off so I would not expect any user from being created automatically.

This is true for the default Keycloak behavior also. Creating an "account" linked to an identity broker is not considered "user registration" in Keycloak either.

Is there a way to prevent any non existing user from being created?

Yes. You would have to create a custom authenticator and put it in the flows that you assign to the "Post login flow" and "First login flow" in the IdP.

Is there something I can add on the authentication flow to prevent any login from user that are not already part of an organization ?

Same as above. You would have to create a custom authenticator and put it in the flows that you assign to the "Post login flow" and "First login flow" in the IdP.

However, I can see the following as potentially valuable additions, so we'd look at a PR:

• Custom authenticator that prevent brokered login from user that are not already part of an organization
• Custom authenticator that checks email domain rules and prevents brokered login from an organization-owned IdP that doesn't correspond to the domains in the organization model. This should probably be configurable on the "verified" state of the domain(s).

[MGLL]

Hello,

regarding this topic, there is a possible workaround with "active organization authenticator".

• https://github.com/p2-inc/keycloak-orgs/blob/main/docs/active-organization-authenticator.md#built-in-flows

Upon login, it will ask the user to select an organization> However, if the user have no organizations, he will get an error message and it should prevent him to connect:

Else, indeed, a custom authenticator which enforce an user to have an organization seems the way to go (just a validation which check the user belongs to any organization). There is possible example here:
https://github.com/p2-inc/keycloak-orgs/blob/11f61355c6152e9d2fdccc9373f1ea5bf414c8e1/src/main/java/io/phasetwo/service/auth/ActiveOrganizationAuthenticator.java#L123-L138

best