Home IDP Discovery not working as expected

[ankur-tj]

Hello,

I have two demo instances of Keycloak Org. The first is the master instance and the 2nd is the IDP. I configured the IDP in my master instance and linked it to an organization. I have my Angular app registered as a client in my master keycloak and the authentication flow used is Org browser flow. I added the extra step of Home discovery but it doesn't work as expected. I tried deleting few steps and also tried inserting the IDP step at random serial order so I don't have exact steps to reproduce the issue. After trying a few combinations of placing the IDP step, I was finally redirected to the IDP for the 1st time and I was able to successfully get the token and got redirected to my Angular app but when I logged out and tried to login again, this time it directly sent me to my angular app instead of redirecting to IDP (no validation at all)

Basically, I need IDP discovery as 1st step. If there is no matching org found then show the password field. I also need the OTP step.

1. Can someone please tell me which authentication flow handled this or help me create a new one with exact steps?
2. Can someone also tell me how to block the user info getting copied to my master Keycloak when someone logs in through IDP?
3. I also want to understand the multiple organization flow. I added the same user to multiple orgs but I was not prompted with the choice of Organization at the time of login.

Please reply back as we are in the middle of a decision making process of whether to go with the Keycloak org hosting plan or OKTA

[xgp]

1. See the following video for a simple setup

https://github.com/p2-inc/keycloak-orgs/assets/244253/1d9da9d5-f4db-4a1d-8984-d38462a9e2be

2. Identity brokering in Keycloak creates a local user. Find more information about everything that happens in the First Login Flow portion of the Keycloak documentation.
3. For more information about using a mechanism of choosing from multiple organizations, see the documentation on the Active Organization features.

when I logged out and tried to login again, this time it directly sent me to my angular app instead of redirecting to IDP (no validation at all)

This means you were still logged in to the remote IdP with an active SSO session. This worked as expected, because you are not supposed to have to log in if you have an active SSO session. If you want to have a logout from your app propagate the remote IdP, make sure you have the following settings checked in your IdP configuration:

Please reply back as we are in the middle of a decision making process of whether to go with the Keycloak org hosting plan or OKTA

Good luck with your evaluation of Keycloak.

[ankur-tj]

First of all thanks for answering my queries.

I have gone through the video and I tried doing the same setup as yours but I couldn't find the step/condition called 'Organization Identity-First login'.

This is how it looks like.

Now the issue that I am facing is that I am able to redirect the user to Organization configured IDP for the first time but once the user logs out and tries to log in again, the below endpoint returns the error.

/realms/microservices/login-actions/authenticate?session_code=v8-Dxncx8xS4OaumBigHhP2PWCufzeRgAd3_NIceGx0&execution=315da79d-7b37-4ae1-b658-94bb10a65488&client_id=angularapp&tab_id=Uvww_94tL3o&client_data=eyJydSI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDIwMCIsInJ0IjoiY29kZSIsInN0IjoiU1RKRWJHdGFWak5SYW1WYU5Hb3pRek13VVZGSFZtTm1kSEpOV25CNlYzcFJhM2s1ZUdWUVNXcFZXVkUyIn0

Another thing I would like to highlight is that the username field was auto-filled for you and looked greyed out but in my case, it was not filled so please throw light on this as well.

[xgp]

'Organization Identity-First login'

That stuff's all irrelevant. Ignore it.

Here's a real simplified version that works:

• flow
• home idp config

Regarding the second login problem, that's either a problem with your Identity Provider configuration or something that comes up when OTP isn't properly configured. That's not specific to this extension. Please consult the Keycloak documentation or repository/forum for help there.

username field was auto-filled

That's how it looks with Keycloak when you pass the login_hint. How it behaves when you pass that parameter will be up to the identity provider. But, if you are seeing the username in your Keycloak example, it is working.

[ankur-tj]

Thanks for sharing this really simplified version where everything is working as expected.

Is there a configuration in the Home IDP Discovery step to redirect the user to their IDP only if there exists a user with the same username in Keycloak? Or if there is an alternative way to check this, then please share that also.

[xgp]

No

[ankur-tj]

Actually, this is possible, you just have to set this flag to true.

The only issue here is that the error message is not user friendly.

If there is a way to customize this message, please let me know.

[xgp]

messages can be updated in custom themes https://www.keycloak.org/docs/latest/server_development/index.html#_themes

[ankur-tj]

Thanks for sharing the link. I tried overwriting the message identityProviderUnexpectedErrorMessage through realm attributes _providerConfig.theme.login.messages.identityProviderUnexpectedErrorMessage but it's not reflecting. I have selected attributes theme for login page. I believe the issue is with the path to the messageKey through providerConfig.

Could you please throw some light on this?

[xgp]

That is an experimental part of the keycloak-themes extension. I would recommend building a custom theme instead.

[ankur-tj]

I have 3 more attributes and those are working fine. The problem is only with overwriting the message. Is there no other way apart from building a custom theme?

[xgp]

As I said, it's experimental. I don't have an idea why some keys work and some don't. If you'd like to help us figure it out, please look into it and submit a PR.

[ankur-tj]

Sure I got your point but I wanted to know if this is a top priority in your upcoming releases or not?

Additional I also want to know regarding the attributes theme. The login button text color changes to some dark color on click, I want to retain the same color so I tried adding styles like below but it doesn't work. I even tried adding more specificity in the CSS element selector but nothing worked. Any work around this?

kc-login:focus, #kc-login:active {

color: white !important;

}