Skip to content

Commit 6bcb626

Browse files
Daniel-BoludaDaniel-Boluda
authored
Update README.md to add Identity provider config guide
1 parent 6618c7d commit 6bcb626

File tree

1 file changed

+35
-0
lines changed

1 file changed

+35
-0
lines changed

README.md

+35
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,41 @@ Ensure that you protect authentication to your clients in all flows a user may a
205205

206206
Here is one example: suppose a user tries to log in via the built-in browser flow, at the end of which you have added the "Restrict user authentication on clients" step. If the "Cookie" or "Forms" alternative is used, the user will proceed to this step and be evaluated. But if it is the "Identity Provider Redirector" alternative which gets used, the subsequent steps will be skipped and the user will not be subject to this validation (this is a general feature of how brokering works in Keycloak authentication flows, not specific to this plugin). This extension must also be configured in the identity provider's post login flow in order to apply.
207207

208+
### Protect an identity provider
209+
210+
1) Login to the Keycloak Admin Console and navigate to Authentication :
211+
212+
Access the Keycloak Admin Console using your administrator credentials.
213+
In the left-hand menu, go to "Authentication".
214+
![AuthFlow_Authentication](https://github.com/user-attachments/assets/89021a3a-6961-4553-9556-705e74a04855)
215+
216+
Under the "Flows" tab, you’ll see the various authentication flows used by Keycloak.
217+
218+
219+
2) Create a New Authentication Flow:
220+
![AuthFlow_CreateFlow](https://github.com/user-attachments/assets/5e1d0602-5c46-4583-83e2-7b9756a584a7)
221+
222+
Click on "Create Flow".
223+
Give your flow a name, e.g., "Restrict User Authentication Flow".
224+
Choose "Generic" as the flow type and click "Save".
225+
Once your flow is created, you need to add steps to it. Click on "Add Step".
226+
Select "Restrict User Authentication on Clients".
227+
This step ensures that only authorized clients can proceed with the authentication process for the user.
228+
![AuthFlow](https://github.com/user-attachments/assets/d1cbb7ed-7141-4a79-88c7-6ae9277f89d9)
229+
230+
231+
3) Configure the Identity Provider:
232+
233+
Now go to the "Identity Providers" section of Keycloak.
234+
Find the Identity Provider (IDP) that you want to protect with this new flow, for the example we will use "google".
235+
![AuthFlow_google](https://github.com/user-attachments/assets/2c8c6d17-007b-487c-8669-05c7c7827c1d)
236+
237+
Under the IDP settings, find "Post login flow" and choose to use the newly created authentication flow.
238+
![image](https://github.com/user-attachments/assets/80e1d092-25c5-4a4b-9eb5-1f7db5a93a22)
239+
240+
241+
At this point your Identity provider is configured, this ensures that whenever authentication occurs through this IDP, the post-authentication flow you’ve configured will be applied preventing un-authorized clients to proceed with the authentication process.
242+
208243
### Disable the `Audience Resolve` mapper if necessary
209244
The [`Audience Resolve` protocol mapper](https://www.keycloak.org/docs/latest/server_admin/#_audience_resolve) is enabled by default by client scope `roles`, but it may be necessary to remove it in some cases.
210245
Failing to set up audience claims correctly may result in a token containing the restricted client as an audience claim, even if the user does not have access to that client.

0 commit comments

Comments
 (0)