keycloak-scim/server_admin/topics/identity-broker/suggested.adoc

[[_client_suggested_idp]]
=== Client Suggested Identity Provider

OIDC applications can bypass the {{book.project.name}} login page by specifying a hint on which
identity provider they want to use.

This is done by setting the `kc_idp_hint` query parameter in the Authorization Code Flow authorization endpoint.

{{book.project.name}} OIDC client adapters also allow you to specify this query parameter when you access a secured resource
at the application.

For example

[source,java]
----
GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1
Host: localhost:8080
----

In this case, is expected that your realm has an identity provider with an alias `facebook`. If this provider doesn't exist the login form will be displayed.

If you are using `keycloak.js` adapter, you can also achieve the same behavior:

[source,java]
----
var keycloak = new Keycloak('keycloak.json');

keycloak.createLoginUrl({
	idpHint: 'facebook'
});
----

The `kc_idp_hint` query parameter also allows the client to override the default identity provider if one is configured for the `Identity Provider Redirector` authenticator. The client can also disable the automatic redirecting by setting the `kc_idp_hint` query parameter to an empty value.
Add link to client suggested idp 2017-04-21 08:19:53 +00:00			`[[_client_suggested_idp]]`
google 2016-05-26 16:09:04 +00:00			`=== Client Suggested Identity Provider`

Update topics/identity-broker/suggested.adoc 2016-09-07 12:12:08 +00:00			`OIDC applications can bypass the {{book.project.name}} login page by specifying a hint on which`
broker 2016-05-27 15:23:34 +00:00			`identity provider they want to use.`
Update topics/identity-broker/suggested.adoc 2016-09-07 12:12:08 +00:00
			This is done by setting the `kc_idp_hint` query parameter in the Authorization Code Flow authorization endpoint.
google 2016-05-26 16:09:04 +00:00
broker 2016-05-27 15:23:34 +00:00			`{{book.project.name}} OIDC client adapters also allow you to specify this query parameter when you access a secured resource`
			`at the application.`
google 2016-05-26 16:09:04 +00:00
broker 2016-05-27 15:23:34 +00:00			`For example`
google 2016-05-26 16:09:04 +00:00
			`[source,java]`
			`----`
			`GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1`
			`Host: localhost:8080`
			`----`

Update topics/identity-broker/suggested.adoc 2016-09-07 12:12:08 +00:00			In this case, is expected that your realm has an identity provider with an alias `facebook`. If this provider doesn't exist the login form will be displayed.
google 2016-05-26 16:09:04 +00:00
			If you are using `keycloak.js` adapter, you can also achieve the same behavior:

			`[source,java]`
			`----`
			`var keycloak = new Keycloak('keycloak.json');`

			`keycloak.createLoginUrl({`
			`idpHint: 'facebook'`
			`});`
			`----`

Update topics/identity-broker/suggested.adoc 2016-09-07 12:12:08 +00:00			The `kc_idp_hint` query parameter also allows the client to override the default identity provider if one is configured for the `Identity Provider Redirector` authenticator. The client can also disable the automatic redirecting by setting the `kc_idp_hint` query parameter to an empty value.