5

I would like to setup Google federation using Keycloak however only for authorized users in my company.

Setting up Google federation allows any Google account to login.

I have looked at the authentication flow on Keycloak but I have been unable to find a way to set it up. I can think of a few simple scenarios that I had hoped Keycloak allowed out of the box

  1. Instead of automatically creating an account when somebody tries to login, require that an account with the exact same email/username already exists and just link them based on the email when that specific user tries to login.

  2. Automatically create an account the first time the user logs in using Google, link them however require an admin to manually activate the account before it can be used

  3. A combination of the first 2. Enable registration, allow the user to register an account and require an admin to activate the account, at which point the user can link them.

Try as I might, I seem to be unable to configure this. There seems to be no way to have Keycloak create an account that requires activation and if I try to create a flow where the "unique account creation" authenticator is not include, it immediately throws the user to an "invalid username/password" screen.

Did I miss something? Is there no other option than manually creating an account and linking it for every single user (or write my own authenticator which I am trying to avoid)?

Alexandre Thenorio
  • 2,288
  • 3
  • 31
  • 50

2 Answers2

1

You could implement a custom form action. It's easier than you would expect.

If you don't want to write code you could maybe use the 'script' form action which is already available. You can get to it this way:

Authentication -> Select 'First broker login' in the dropdown -> Make a copy of it (Making a copy of it allows you to edit it). Now click 'Add execution' and chose 'Script'. Move it upwards to the top, so it's the first form action in your flow. Put the radio button on 'REQUIRED' and go to actions -> config. Now in the script you could check the username or email to match a pattern (maybe the domain name of your company), if the pattern match fails, you can call the context.failure(..) method, which is already available in the default script.

Make sure that you select this (new) first broker login in your identity provider configuration.

ChristopherS
  • 853
  • 4
  • 16
  • I don't see an option 'Scipt' in 'Add Execution'. I'm using Keycloak v7.0.0. Where can I find this? – Amith Koujalgi Apr 05 '20 at 04:12
  • See this on how to enable the script authenticator: https://stackoverflow.com/questions/53390134/keycloak-script-authenticator-missing – Friedrich Apr 16 '20 at 15:50
1

If you are OK with folks from a single domain (e.g. @yourco.com), you can use the Hosted Domain parameter on the settings page. For google specifically, at least as of keycloak 11.x, both google and keycloak will ensure the user's email address matches the entered domain. I do not know if it's possible to enter multiple domains.

What we do is use the hosted domain option, and grant these new users a simple role that allows them to log into the admin panel and have read permissions on a few simple areas. This makes it easy to setup new accounts in Keycloak, we just tell users to go log in and they are setup with basic access. If someone warrants more advanced access to read private data or even write some data, they have to contact our ops team who may choose to grant them some more roles in keycloak

hosted domain param location

Hamy
  • 20,662
  • 15
  • 74
  • 102