Closed lsmith77 closed 2 months ago
@lsmith77
@xgp any other thoughts?
@pnzrr thank you for your response. what I am missing in https://phasetwo.io/blog/customizing-login-pages is to do these customizations on a per organization basis, ie. we want the organization to be able to set their colors and logos so I am pondering what the best strategy is for this.
right now my plan is to use the subdomain to identify the organization and then remotely fetch organization specific css/logo and list of IdPs to display.
@lsmith77 We don't have customization on a per organization basis, and don't really support any customization based on the subdomain.
In our SaaS application each organization runs on its own subdomain. For SSO, we would therefore also want to run everything on its own subdomain, which is of course doable with Keycloak.
However commonly this is done by binding realms to subdomains (see f.e. https://medium.com/@tdebodt/give-your-application-a-professional-touch-with-wildcard-subdomain-and-secure-it-with-oidc-and-5a6b70e23259).
With P2, we would use a single realm, while still customizing the UI (custom logo, color scheme) and showing the IdP options for that specific organization and whatever login mechanism is used, it should set the active organization automatically in the token.
Since I didn't find anything in the documentation, I wanted to check what the best practices are here and add this to the documentation.
Topics I have identified here: 1) Keycloak configuration
To allow the user to logout, Keycloak does not accept wildcard on domain names for the redirect URI.
see here2) Themeing
My understanding is that organization specific IdPs basically work by first receiving the email domain to then determine the IdP based on the verified domain concept. But this requires the user to supply their email, rather than having a single button experience to f.e. log in via Google or Microsoft.
I guess what we need to do is build some Javascript code that can fetch the list of IdP's for the specific organization and then use
idpHint
on each of the login options to force login into the specific IdP.3) Parallel logins to multiple organizations
4) Anything else that should be considered/configured in such a setup?