How to bypass Keycloak login form and jump directly to the IDP login?

Question

I'm running the saml-broker-authentication example. The first thing that I see is in the UI is a user/pass for with an option to use a broker (image below).

Is there a way to skip this form and go straight to the IDP?

After clicking on one of the IDP's, I get a URL of the sort: http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication&code=<keycloak generated>

I tried using the following url (without the code) directly but got an error. (http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication)

Any idea how to bypass Keycloak auth and directly go to the IDP through the SP(broker)? Thanks.

UPDATE: My TL found a static solution to put the IDP ID in the browser's authentication flow under the Identity Provider Redirector execution. BUT, We're trying to find a dynamic way to do it. Looked at the kc_idp_hint documentation but couldn't find a way to make the saml-broker-authentication example work with it :(

Mailing list: http://lists.jboss.org/pipermail/keycloak-user/2017-October/011942.html — AlikElzin-kilaka, Oct 02 '17 at 12:02
I had a bit similar task, but for a user authentication. I am not sure that it helps. Just in case https://github.com/v-ladynev/keycloak-nodejs-example#examples-of-using-admin-rest-api-and-custom-login — v.ladynev, Oct 02 '17 at 12:45

score 20 · Answer 1 · edited Jun 20 '20 at 09:12

As you mentioned, you can bypass the Keycloak screen and go directly to the IdP by setting a default identity provider for the whole realm:

It is possible to automatically redirect to a identity provider instead of displaying the login form. To enable this go to the Authentication page in the administration console and select the Browser flow. Then click on config for the Identity Provider Redirector authenticator. Set Default Identity Provider to the alias of the identity provider you want to automatically redirect users to.

(https://www.keycloak.org/docs/latest/server_admin/index.html#default_identity_provider)

Unfortunately, that's for the whole realm and can't be set dynamically or per SP. kc_idp_hint seems to be the solution, but it's only for OIDC:

OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use.

This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.

(https://www.keycloak.org/docs/latest/server_admin/#_client_suggested_idp)

It looks like there's a feature request to add kc_idp_hint support for SAML but it's still unresolved:

https://issues.jboss.org/browse/KEYCLOAK-4884

As a workaround, you could create a new realm and set the default identity provider for that realm. That way if you had SPs that needed to be brokered to different IdPs, you could set them up in the appropriate realm.

The downside is each realm acts as its own IdP so it has its own entity ID, public key, etc. You'd effectively have to set the SP up again each time to have it default to a different IdP.

score 10 · Answer 2 · answered Dec 25 '19 at 22:47

It is an old post but maybe still actual for someone.

For static redirect on identity provider login page set in the keycloak admin panel set name from Identity Providers -> name to Authentication -> Identity Provider Redirector -> config -> Default Identity Provider. After that happen request to https://{KK}/realms/{RM}/protocol/openid-connect/auth?... will redirect you to identity provider e.g. facebook
Dynamic choice idp. If you won't go to idp login page you may put additional param kc_idp_hint in KK e.g.

// go to KK login page with username/pass and choice of idp provider
https://{KK}/realms/{RM}/protocol/openid-connect/auth?...&kc_idp_hint

// go to facebook login page if facebook idp is cinfigure 
https://{KK}/realms/{RM}/protocol/openid-connect/auth?...&kc_idp_hint=facebook

// go to other login page
https://{KK}/realms/{RM}/protocol/openid-connect/auth?...&kc_idp_hint=other

The question is for SAML. Unfortunately, `kc_idp_hint` only appears to work for OIDC clients, which you can see from the URLs of your answer because they contain `openid-connect` — bmaupin, May 13 '20 at 12:30

score 6 · Answer 3 · answered Aug 14 '18 at 05:01

6

To set an identity provider as the default one ignoring keycloak login form, just go to the authentication menu > Identity Provider Redirector action link > set the default identity provider to the alias of the provider you want. Once you open from browser localhost:8080/realm[...]/account you will be automatically redirected to your provider login page.

answered Aug 14 '18 at 05:01

user666

1,750
3
18
34

This works but it applies to the whole realm. The author of the question would like a way to do this dynamically: "BUT, We're trying to find a dynamic way to do it." – bmaupin May 13 '20 at 12:36

score 6 · Answer 4 · edited Aug 19 '19 at 04:38

6

After searching it a lot I managed to do it with this line of code:

keycloakAuth.login({idpHint: 'facebook'});

keycloakAuth being:

keycloakAuth = Keycloak({
    url: environment.keycloakRootUrl,
    realm: 'realm',
    clientId: 'client-id',
    'ssl-required': 'external',
    'public-client': true
});

No need to set it as a default identity provider

edited Aug 19 '19 at 04:38

YellowAfterlife

2,967
1
16
24

answered Aug 18 '19 at 22:09

André Kanagusku

121
1
5

Where should we write this code ? Is it part of SPI or any javascript policy. Can you share more details. Your code looks promising but not clear to where to place this code. – Sundar Rajan Feb 28 '20 at 07:25
I was writing an angular application. Whenever the user clicked on the button to login, the first code of my answer was triggered. The second code was on a service. When the application is being loaded it set the variable 'keycloakAuth' with the value from the second code of my answer. The class 'Keycloak' being instantiated is a javascript (keycloak.js) code that keycloak makes available from its instalation. – André Kanagusku Mar 26 '20 at 00:09
The question is specific to SAML. Does this work for SAML? Facebook, for example, does not use SAML but OIDC. – bmaupin May 13 '20 at 12:39
what package or library url did you use so that you are able to create instance *keycloakAuth*? – Arjun Singh Mar 10 '21 at 11:56

Geoffrey · Answer 5 · 2022-07-29T09:24:10.513

In keycloak admin console go to "Authentication" menu -> "Flows" panel -> in the drop down select "Browser" -> click on the "copy" button and call it "Browser2"
By selecting "Browser2" you can edit the Auth Type "Identity Provider Redirector" -> "Actions" -> "Config"
Under "Alias" and "Default Identity Provider" enter the alias of your saml-identity-provider, previously created in the "Identity Providers" menu
In the "Clients" menu select your saml-broker-authentication client and expend "Authentication Flow Overrides" and under the "Browser Flow" drop down select "Browser2" and save
Your http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication should now directly open the idp and not the keycloak login form.

Then you can create as many Authentication flows as ipd without duplicating the realm.

This answer is correct and I think should be higher on the list. — KevinO, Apr 27 '23 at 20:53

score 3 · Answer 6 · edited Sep 06 '21 at 20:42

3

kc_idp_hint will work with SAML by passing the IDP alias instead of the IDP display name.

edited Sep 06 '21 at 20:42

Mohamed Karkotly

1,364
3
13
26

answered Sep 06 '21 at 13:13

Shashank Penumatcha

71
7

1

By using the JavaScript adapter we can write keycloakAuth.login({idpHint: 'idp_alias'}); – Shashank Penumatcha Sep 06 '21 at 20:40

score 2 · Answer 7 · edited Nov 15 '22 at 11:05

you would like config in administrator keycloack:

step 1: config Identity Provider Redirector: Authentication >> Browser >> click "action" in Identity Provider Redirector

enter image description here

step 2: you type Alias of identity provider that you need in "default identity provider", input "Alias" type any name

enter image description here

finally: you need config client to Browser : Clients >> choose clien-id you need config sso >> Authentication Flow Overrides >> in "Browser Flow" select Browser >> save.

enter image description here

i succeed on my system. Good luck ^^

score 1 · Answer 8 · edited Mar 29 '21 at 17:21

1

In order to skip SSO, keycloak init first then pass idp_hint to login.

 const options: KeycloakLoginOptions = {
      idpHint: ' ',
    };
    keycloak.init({}).then(() => {
      keycloak.login(options).then(() => {
        onSuccess();
      });
    });

edited Mar 29 '21 at 17:21

dbc

104,963
20
228
340

answered Mar 29 '21 at 17:17

Athena Chen

269
2
4

Athena, can you please link to the docs as well? Thanks. – AlikElzin-kilaka Mar 30 '21 at 13:00
There is no documentation, I just read source code of keycloak-js. – Athena Chen Mar 31 '21 at 16:30

score 0 · Answer 9 · answered Oct 06 '17 at 15:24

0

In order to get redirected to the IDP login page through the Keycloak broker you can use the following URL : http://localhost:8080/saml-broker-authentication/

answered Oct 06 '17 at 15:24

planben

680
6
20

score 0 · Answer 10 · answered Jul 08 '20 at 15:05

0

You can also extend and write new authenticator spi on top of the class IdentityProviderAuthenticator in which authenticate performs redirect() based on request url attribute.

Otherwise most of the cases , kc_idp_hint in resource url will help.

E.g https://resourceserver/resourcepath?kc_idp_hint=google

answered Jul 08 '20 at 15:05

Sundar Rajan

556
4
25

Hello Sundar Rajan, Can you please share an example of custom IdentityProviderAuthenticator because i am planning to have my own implementation of user federation for basic email validation but for authentication i need to rely on multiple IDPs configured under realm. – Logicalj Jan 11 '21 at 11:35

How to bypass Keycloak login form and jump directly to the IDP login?

10 Answers10

Linked