How to bypass Keycloak login form and jump directly to the IDP login?

AlikElzin-kilaka picture AlikElzin-kilaka · Sep 24, 2017 · Viewed 11.5k times · Source

I'm running the saml-broker-authentication example. The first thing that I see is in the UI is a user/pass for with an option to use a broker (image below).

Is there a way to skip this form and go straight to the IDP?

After clicking on one of the IDP's, I get a URL of the sort: http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication&code=<keycloak generated>

I tried using the following url (without the code) directly but got an error. (http://localhost:8080/auth/realms/saml-broker-authentication-realm/broker/sanity-idp/login?client_id=saml-broker-authentication)

Any idea how to bypass Keycloak auth and directly go to the IDP through the SP(broker)? Thanks.

UPDATE: My TL found a static solution to put the IDP ID in the browser's authentication flow under the Identity Provider Redirector execution. BUT, We're trying to find a dynamic way to do it. Looked at the kc_idp_hint documentation but couldn't find a way to make the saml-broker-authentication example work with it :(

enter image description here

Answer

bmaupin picture bmaupin · Jul 24, 2018

As you mentioned, you can bypass the Keycloak screen and go directly to the IdP by setting a default identity provider for the whole realm:

It is possible to automatically redirect to a identity provider instead of displaying the login form. To enable this go to the Authentication page in the administration console and select the Browser flow. Then click on config for the Identity Provider Redirector authenticator. Set Default Identity Provider to the alias of the identity provider you want to automatically redirect users to.

(https://www.keycloak.org/docs/latest/server_admin/index.html#default_identity_provider)

Unfortunately, that's for the whole realm and can't be set dynamically or per SP. kc_idp_hint seems to be the solution, but it's only for OIDC:

OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use.

This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.

(https://www.keycloak.org/docs/latest/server_admin/#_client_suggested_idp)

It looks like there's a feature request to add kc_idp_hint support for SAML but it's still unresolved:

https://issues.jboss.org/browse/KEYCLOAK-4884

As a workaround, you could create a new realm and set the default identity provider for that realm. That way if you had SPs that needed to be brokered to different IdPs, you could set them up in the appropriate realm.

The downside is each realm acts as its own IdP so it has its own entity ID, public key, etc. You'd effectively have to set the SP up again each time to have it default to a different IdP.