Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize
users. They allow you to connect to any identity provider compliant with a specific protocol.
Keycloak provides support for SAML v2.0 and OpenID Connect v1.0 protocols.
It makes it easy to configure and broker any identity provider based on these open standards.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
Although each type of identity provider has its own configuration options, all of them share some very common configuration.
Regardless the identity provider you are creating, you'll see the following configuration options avaiable:
</para>
<table>
<title>Common Configuration</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Alias</literal>
</entry>
<entry>
The alias is an unique identifier for an identity provider. It is used to reference internally an identity provider.
Some protocols require a <emphasis>redirect uri or callback url</emphasis> in order to communicate with an identity provider. For instance, OpenID Connect.
In this case, the alias is used to build the redirect uri.
Every single identity provider must have an alias. For example, facebook, google, idp.acme.com, etc.
</entry>
</row>
<row>
<entry>
<literal>Name</literal>
</entry>
<entry>
You can give a friendly name to an identity provider.
The name will be used, for example, to display a link or a button in the login page.
</entry>
</row>
<row>
<entry>
<literal>Enabled</literal>
</entry>
<entry>
Allows you to enable or disable an identity provider.
When disabled, the identity provider will not be available from the login page and can not
<entry>Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user
authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login
with this identity provider. Also note, that authenticator implementations must assume that user is already
set in ClientSession as identity provider already set it.
To enable login with Google you first have to create a project and a client in the
<ulinkurl="https://cloud.google.com/console/project">Google Developer Console</ulink>. Then you need to copy
the client id and secret into the Keycloak Admin Console.
</para>
<para>
Let's see first how to create a project with Google.
</para>
<orderedlist>
<listitem>
<para>
Log in to the <ulinkurl="https://cloud.google.com/console/project">Google Developer Console</ulink>. Click the
<literal>Create Project</literal> button. Use any value for <literal>Project name</literal> and
<literal>Project ID</literal> you want, then click the <literal>Create</literal> button. Wait for the project to
be created (this may take a while).
</para>
</listitem>
<listitem>
<para>
Once the project has been created click on <literal>APIs & auth</literal> in sidebar on the left. To retrieve
user profiles the <literal>Google+ API</literal> has to be enabled. Scroll down to find it in the list. If its
status is <literal>OFF</literal>, click on <literal>OFF</literal> to enable it (it should move to the top of
the list and the status should be <literal>ON</literal>).
</para>
</listitem>
<listitem>
<para>
Now click on the <literal>Consent screen</literal> link on the sidebar menu on the left. You must specify
a project name and choose an email for the consent screen. Otherwise users will get a login error. There's
other things you can configure here like what the consent screen looks like. Feel free to play around with this.
</para>
</listitem>
<listitem>
<para>
Now click <literal>Credentials</literal> in the sidebar on the left. Then click
<literal>Create New Client ID</literal>. Select <literal>Web application</literal> as
<literal>Application type</literal>. Empty the <literal>Authorized Javascript origins</literal> textarea.
Click the <literal>Create Client ID</literal> button.
</para>
</listitem>
<listitem>
<para>
Copy <literal>Client ID</literal> and <literal>Client secret</literal>.
</para>
</listitem>
</orderedlist>
<para>
Now that you have the client id and secret, you can proceed with the creation of a Google Identity Provider in Keycloak. As follows:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>Google</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
</para>
</listitem>
<listitem>
<para>
Copy the client id and secret to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
</para>
</listitem>
</orderedlist>
<para>
Once you create the identity provider in Keycloak, you must update your Google project with the redirect url that was
generated to your identity provider.
</para>
<orderedlist>
<listitem>
<para>
Open the Google Developer Console and select your project. Click <literal>Credentials</literal> in the
sidebar on the left. In <literal>Authorized redirect URI</literal> insert the redirect uri created by Keycloak. The redirect uri
usually have the following format: <literal>http://{host}:{port}/auth/realms/{realm}/broker/{provider_alias}</literal>.
</para>
</listitem>
</orderedlist>
<note>
<para>
You can always get the redirect url for a specific identity provider from the table presented when you
click on the 'Identity Provider' tab in <emphasis>Realm > Settings</emphasis>.
</para>
</note>
<para>
That is it! This is pretty much what you need to do in order to setup this identity provider.
</para>
<para>
The table below lists some additional configuration options you may use when configuring this provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Allows you to manually specify the scopes that users must authorize when authenticating with this provider. For a complete list of scopes, please take a look at <ulinkurl="https://developers.google.com/oauthplayground/">https://developers.google.com/oauthplayground/</ulink>. By default, Keycloak uses the following scopes: <literal>openid profile email</literal>
</entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section>
<title>Facebook</title>
<para>
To enable login with Facebook you first have to create an application in the
<ulinkurl="https://developers.facebook.com/">Facebook Developer Console</ulink>. Then you need to copy
the client id and secret into the Keycloak Admin Console.
</para>
<para>
Let's see first how to create an application with Facebook.
</para>
<orderedlist>
<listitem>
<para>
Log in to the <ulinkurl="https://developers.facebook.com/">Facebook Developer Console</ulink>. Click
<literal>Apps</literal> in the menu and select <literal>Create a New App</literal>. Use any value for
<literal>Display Name</literal> and <literal>Category</literal> you want, then click the
<literal>Create App</literal> button. Wait for the project to be created (this may take a while). If after
creating the app you are not redirected to the app settings, click on <literal>Apps</literal> in the
menu and select the app you created.
</para>
</listitem>
<listitem>
<para>
Once the app has been created click on <literal>Settings</literal> in sidebar on the left. You must specify
a contact email. Save your changes. Then click
on <literal>Advanced</literal>. Under <literal>Security</literal> make sure
<literal>Client OAuth Login</literal> is enabled. Scroll down and click on the <literal>Save Changes</literal> button.
</para>
</listitem>
<listitem>
<para>
Click <literal>Status & Review</literal> and select <literal>YES</literal> for <literal>Do you want
to make this app and all its live features available to the general public?</literal>. You will
not be able to set this until you have provided a contact email in the general settings of this application.
</para>
</listitem>
<listitem>
<para>
Click <literal>Basic</literal>. Copy <literal>App ID</literal> and <literal>App Secret</literal>
(click <literal>show</literal>) from the <ulinkurl="https://developers.facebook.com/">Facebook Developer Console</ulink>.
</para>
</listitem>
</orderedlist>
<para>
Now that you have the client id and secret, you can proceed with the creation of a Facebook Identity Provider in Keycloak. As follows:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>Facebook</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
</para>
</listitem>
<listitem>
<para>
Copy the client id and secret to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
</para>
</listitem>
</orderedlist>
<para>
Once you create the identity provider in Keycloak, you must update your Facebook application with the redirect url that was
generated to your identity provider.
</para>
<orderedlist>
<listitem>
<para>
Open the Facebook Developer Console and select your application. Click
on <literal>Advanced</literal>. Under <literal>Security</literal> make sure
<literal>Client OAuth Login</literal> is enabled. In <literal>Valid OAuth redirect URIs</literal> insert
the redirect uri created by Keycloak. The redirect uri
usually have the following format: <literal>http://{host}:{port}/auth/realms/{realm}/broker/{provider_alias}</literal>.
</para>
</listitem>
</orderedlist>
<note>
<para>
You can always get the redirect url for a specific identity provider from the table presented when you
click on the 'Identity Provider' tab in <emphasis>Realm > Settings</emphasis>.
</para>
</note>
<para>
That is it! This pretty much what you need to do in order to setup this identity provider.
</para>
<para>
The table below lists some additional configuration options you may use when configuring this provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Allows you to manually specify the scopes that users must authorize when authenticating with this provider. For a complete list of scopes, please take a look at <ulinkurl="https://developers.facebook.com/docs/graph-api">https://developers.facebook.com/docs/graph-api</ulink>. By default, Keycloak uses the following scopes: <literal>email</literal>
</entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section>
<title>Twitter</title>
<para>
To enable login with Twtter you first have to create an application in the
<ulinkurl="https://dev.twitter.com/apps">Twitter Developer Console</ulink>. Then you need to copy
the consumer key and secret into the Keycloak Admin Console.
</para>
<para>
Let's see first how to create an application with Twitter.
</para>
<orderedlist>
<listitem>
<para>
Log in to the <ulinkurl="https://dev.twitter.com/apps">Twitter Developer Console</ulink>. Click the
<literal>Create a new application</literal> button. Use any value for <literal>Name</literal>,
<literal>Description</literal> and <literal>Website</literal> you want. Insert the social callback url
in <literal>Callback URL</literal>. Then click <literal>Create your Twitter application</literal>.
</para>
</listitem>
<listitem>
<para>
Now click on <literal>Settings</literal> and tick the box <literal>Allow this application to be used to Sign in with Twitter</literal>,
then click on <literal>Update this Twitter application's settings</literal>.
</para>
</listitem>
<listitem>
<para>
Now click <literal>API Keys</literal> tab. Copy <literal>API key</literal> and <literal>API secret</literal> from the
Twitter doesn't allow <literal>localhost</literal> in the redirect URI. To test on a local server
replace <literal>localhost</literal> with <literal>127.0.0.1</literal>.
</para>
</note>
<para>
Now that you have the client id and secret, you can proceed with the creation of a Twitter Identity Provider in Keycloak. As follows:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>Twitter</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
</para>
</listitem>
<listitem>
<para>
Copy the client id and secret to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
</para>
</listitem>
</orderedlist>
<para>
That is it! This pretty much what you need to do in order to setup this identity provider.
</para>
<para>
The table below lists some additional configuration options you may use when configuring this provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Not supported by Twitter.
</entry>
</row>
</tbody>
</tgroup>
</table>
</section>
<section>
<title>Github</title>
<para>
To enable login with GitHub you first have to create an application in
<ulinkurl="https://github.com/settings/applications">GitHub Settings</ulink>. Then you need to copy
the client id and secret into the Keycloak Admin Console.
</para>
<para>
Let's see first how to create an application with GitHub.
</para>
<orderedlist>
<listitem>
<para>
Log in to <ulinkurl="https://github.com/settings/applications">GitHub Settings</ulink>. Click the
<literal>Register new application</literal> button. Use any value for <literal>Application name</literal>,
<literal>Homepage URL</literal> and <literal>Application Description</literal> you want. Click the
<literal>Register application</literal> button.
</para>
</listitem>
<listitem>
<para>
Copy <literal>Client ID</literal> and <literal>Client Secret</literal> from the <ulinkurl="https://github.com/settings/applications">GitHub Settings</ulink>.
</para>
</listitem>
</orderedlist>
<para>
Now that you have the client id and secret, you can proceed with the creation of a Github Identity Provider in Keycloak. As follows:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>Github</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
</para>
</listitem>
<listitem>
<para>
Copy the client id and secret to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
</para>
</listitem>
</orderedlist>
<para>
Once you create the identity provider in Keycloak, you must update your GitHub application with the redirect url that was
generated to your identity provider.
</para>
<orderedlist>
<listitem>
<para>
Open the GitHub Settings and select your application. In <literal>Authorization callback URL</literal>
insert the redirect uri created by Keycloak. The redirect uri
usually have the following format: <literal>http://{host}:{port}/auth/realms/{realm}/broker/{provider_alias}</literal>.
</para>
</listitem>
</orderedlist>
<note>
<para>
You can always get the redirect url for a specific identity provider from the table presented when you
click on the 'Identity Provider' tab in <emphasis>Realm > Settings</emphasis>.
</para>
</note>
<para>
That is it! This pretty much what you need to do in order to setup this identity provider.
</para>
<para>
The table below lists some additional configuration options you may use when configuring this provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Allows you to manually specify the scopes that users must authorize when authenticating with this provider. For a complete list of scopes, please take a look at <ulinkurl="https://developer.github.com/v3/oauth/#scopes">https://developer.github.com/v3/oauth/#scopes</ulink>. By default, Keycloak uses the following scopes: <literal>user:email</literal>
To enable login with LinkedIn you first have to create an application in
<ulinkurl="https://www.linkedin.com/secure/developer">LinkedIn Developer Network</ulink>. Then you need to copy
the client id and secret into the Keycloak Admin Console.
</para>
<para>
Let's see first how to create an application with LinkedIn.
</para>
<orderedlist>
<listitem>
<para>
Log in to <ulinkurl="https://www.linkedin.com/secure/developer">LinkedIn Developer Network</ulink>. Click the
<literal>Add New Application</literal> link. Use any value for <literal>Application Name</literal>,
<literal>Website URL</literal>, <literal>Description</literal>, <literal>Developer Contact Email</literal> and <literal>Phone</literal> you want.
Select <literal>r_basicprofile</literal> and <literal>r_emailaddress</literal> in the <literal>Default Scope</literal> section.
Click the <literal>Add Application</literal> button.
</para>
</listitem>
<listitem>
<para>
Copy <literal>Consumer Key / API Key</literal> and <literal>Consumer Secret / Secret Key</literal> from the shown page.
</para>
</listitem>
</orderedlist>
<para>
Now that you have the client id and secret, you can proceed with the creation of a LinkedIn Identity Provider in Keycloak. As follows:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>LinkedIn</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
</para>
</listitem>
<listitem>
<para>
Copy the client id and secret to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
</para>
</listitem>
</orderedlist>
<para>
Once you create the identity provider in Keycloak, you must update your LinkedIn application with the redirect url that was
generated to your identity provider.
</para>
<orderedlist>
<listitem>
<para>
Open the LinkedIn Developer Network and select your application. In <literal>OAuth 2.0 Redirect URLs</literal>
insert the redirect uri created by Keycloak. The redirect uri
usually have the following format: <literal>http://{host}:{port}/auth/realms/{realm}/broker/{provider_alias}/endpoint</literal>.
</para>
</listitem>
</orderedlist>
<note>
<para>
You can always get the redirect url for a specific identity provider from the table presented when you
click on the 'Identity Provider' tab in <emphasis>Realm > Settings</emphasis>.
</para>
</note>
<para>
That is it! This pretty much what you need to do in order to setup this identity provider.
</para>
<para>
The table below lists some additional configuration options you may use when configuring this provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Allows you to manually specify the scopes that users must authorize when authenticating with this provider.
For a complete list of scopes, please take a look at application configuration in <ulinkurl="https://www.linkedin.com/secure/developer">LinkedIn Developer Network</ulink>. By default, Keycloak uses the following scopes: <literal>r_basicprofile r_emailaddress</literal>
To enable login with Microsoft account you first have to register an OAuth application on
<ulinkurl="https://account.live.com/developers/applications/index">Microsoft account Developer Center</ulink>. Then you need to copy the client id and secret into the Keycloak Admin Console.
</para>
<para>
Let's see first how to create an application with Microsoft.
</para>
<orderedlist>
<listitem>
<para>
Go to <ulinkurl="https://account.live.com/developers/applications/create">create new application on Microsoft account Developer Center</ulink> url and login here.
Use any value for <literal>Application Name</literal>, <literal>Application Logo</literal> and <literal>URLs</literal> you want.
In <literal>API Settings</literal> set <literal>Target Domain</literal> to the domain where your Keycloak instance runs.
</para>
</listitem>
<listitem>
<para>
Copy <literal>Client Id</literal> and <literal>Client Secret</literal> from <literal>App Settings</literal> page.
</para>
</listitem>
</orderedlist>
<para>
Now that you have the client id and secret you can proceed with the creation of a Microsoft Identity Provider in Keycloak. As follows:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>Microsoft</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
</para>
</listitem>
<listitem>
<para>
Copy the client id and client secret to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
</para>
</listitem>
</orderedlist>
<para>
Once you create the identity provider in Keycloak, you must update your Microsoft application with the redirect url that was
generated to your identity provider.
</para>
<orderedlist>
<listitem>
<para>
Open the Microsoft account Developer Center and select <literal>API Settings</literal> of your application. In <literal>Redirect URLs</literal>
insert the redirect uri created by Keycloak. The redirect uri
usually have the following format: <literal>http://{host}:{port}/auth/realms/{realm}/broker/microsoft/endpoint</literal>.
</para>
</listitem>
</orderedlist>
<note>
<para>
You can always get the redirect url for a specific identity provider from the table presented when you
click on the 'Identity Provider' tab in <emphasis>Realm > Settings</emphasis>.
</para>
</note>
<para>
That is it! This pretty much what you need to do in order to setup this identity provider.
</para>
<para>
The table below lists some additional configuration options you may use when configuring this provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Allows you to manually specify the scopes that users must authorize when authenticating with this provider. For a complete list of scopes, please take a look at <ulinkurl="https://msdn.microsoft.com/en-us/library/hh243646.aspx">https://msdn.microsoft.com/en-us/library/hh243646.aspx</ulink>. By default, Keycloak uses the following scopes: <literal>wl.basic,wl.emails</literal>
To enable login with StackOverflow you first have to register an OAuth application on
<ulinkurl="https://stackapps.com/">StackApps</ulink>. Then you need to copy the client id, secret and key into the Keycloak Admin Console.
</para>
<para>
Let's see first how to create an application with StackOverflow.
</para>
<orderedlist>
<listitem>
<para>
Go to <ulinkurl="http://stackapps.com/apps/oauth/register">registering your application on Stack Apps</ulink> url and login here.
Use any value for <literal>Application Name</literal>, <literal>Application Website</literal> and <literal>Description</literal> you want.
Set <literal>OAuth Domain</literal> to the domain where your Keycloak instance runs.
Click the <literal>Register Your Application</literal> button.
</para>
</listitem>
<listitem>
<para>
Copy <literal>Client Id</literal>, <literal>Client Secret</literal> and <literal>Key</literal> from the shown page.
</para>
</listitem>
</orderedlist>
<para>
Now that you have the client id, secret and key, you can proceed with the creation of a StackOverflow Identity Provider in Keycloak. As follows:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>StackOverflow</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provided.
</para>
</listitem>
<listitem>
<para>
Copy the client id, client secret and key to their corresponding fields in the Keycloak Admin Console. Click <literal>Save</literal>.
</para>
</listitem>
</orderedlist>
<para>
That is it! This pretty much what you need to do in order to setup this identity provider.
</para>
<para>
The table below lists some additional configuration options you may use when configuring this provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Allows you to manually specify the scopes that users must authorize when authenticating with this provider.
For a complete list of scopes, please take a look at application configuration in <ulinkurl="https://api.stackexchange.com/docs/authentication#scope">StackExchange API Authentication</ulink> documentation. Keycloak uses the empty scope by default.
Keycloak can broker identity providers based on the SAML v2.0 protocol.
</para>
<para>
In order to configure a SAML identity provider, follow these steps:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>SAML v2.0</literal> identity provider from the drop-down box on the top right
corner of the identity providers table in Keycloak's Admin Console.
You should be presented with a specific page to configure the selected provider.
</para>
</listitem>
</orderedlist>
<para>
When configuring a SAML identity provider you are presented with different configuration options in order to
properly communicate and integrate with the external identity provider.
In this case, you must keep in mind that Keycloak will act as an Service Provider that issues authentication requests(AuthnRequest)
to the external identity provider.
</para>
<table>
<title>Configuration Options</title>
<tgroupalign="left"cols="2">
<thead>
<row>
<entry>
Configuration
</entry>
<entry>
Description
</entry>
</row>
</thead>
<tbodyvalign="top">
<row>
<entry>
<literal>Import IdP SAML Metadata</literal>
</entry>
<entry>
When creating a new identity provider, you may just upload the SAML Metadata for the brokered IdP (IDPSSODescriptor). In this case, Keycloak will read all the necessary configuration from the metadata and automatically configure the identity provider for you.
</entry>
</row>
<row>
<entry>
<literal>Single Sign-On Service Url</literal>
</entry>
<entry>
Allows you to specify the URL that will be used to send SAML authentication requests.
Allows you to specify a NameID Policy that will be sent in the SAML authentication request.
</entry>
</row>
<row>
<entry>
<literal>Validating X509 Certificate</literal>
</entry>
<entry>
Allows you to specify the certificate in PEM format that will be used to validate signatures for all messages received from the brokered identity provider.
</entry>
</row>
<row>
<entry>
<literal>Want AuthnRequests Signed</literal>
</entry>
<entry>
Allows you to specify whether the brokered identity provider is expecting signed SAML authentication requests or not.
</entry>
</row>
<row>
<entry>
<literal>Force Authentication</literal>
</entry>
<entry>
Allows you to tell the brokered identity provider that user must be authenticated even if he was previously authenticated (re-authentication) in the same session.
</entry>
</row>
<row>
<entry>
<literal>Validate Signature</literal>
</entry>
<entry>
Enable or disable signature validation of any message returned by the brokered identity provider.
</entry>
</row>
<row>
<entry>
<literal>HTTP-POST Binding Response</literal>
</entry>
<entry>
Allows you to specify if responses from the brokered identity providers are returned using the HTTP-POST or HTTP-Redirect protocol bindings. If enabled, only responses using HTTP-POST binding are accepted.
</entry>
</row>
<row>
<entry>
<literal>HTTP-POST Binding for AuthnReques</literal>
Allows you to specify whether SAML authentication requests must be sent using the HTTP-POST or HTTP-Redirect protocol bindings. If enabled, it will send requests using HTTP-POST binding.
Keycloak can broker identity providers based on the OpenID Connect v1.0 protocol.
</para>
<para>
In order to configure a OIDC identity provider, follow these steps:
</para>
<orderedlist>
<listitem>
<para>
Select the <literal>OpenID Connect v1.0</literal> identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. You should be presented with a specific page to configure the selected provider.
</para>
</listitem>
</orderedlist>
<para>
When configuring an OIDC identity provider you are presented with different configuration options in order to send authentication requests to the external identity provider. In this case, the brokered identity provider must support the Authorization Code Flow (as defined by the specification) in order to authenticate the user and authorize access for the scopes specified in the configuration.
The user info url. This is usually an url from where Keycloak will obtain user information in order to create a local account.
</entry>
</row>
<row>
<entry>
<literal>Client ID</literal>
</entry>
<entry>
The client id is usually generated when configuring an application or a project on the brokered identity provider.
</entry>
</row>
<row>
<entry>
<literal>Client Secret</literal>
</entry>
<entry>
The client secret is usually generated when configuring an application or a project on the brokered identity provider.
</entry>
</row>
<row>
<entry>
<literal>Issuer</literal>
</entry>
<entry>
Allows you to specify the expected value for the "issuer" claim when validating the ID token.
</entry>
</row>
<row>
<entry>
<literal>Default Scopes</literal>
</entry>
<entry>
Allows you to specify additional scopes when asking for user authentication and consent. By default, scope <literal>openid</literal> is always appended to the list of the scopes.
</entry>
</row>
<row>
<entry>
<literal>Prompt</literal>
</entry>
<entry>
Allows you to specify how the brokered identity provider must prompt user for authentication. You must check which values are supported by the brokered identity provider before choosing a value.
Keycloak supports a specific HTTP query parameter that you can use as a hint to tell the server which identity provider should be used to authenticate the user.
When Keycloak successfully authenticates user through identity provider (step 8 in <linklinkend="identity-broker-overview">Overview</link> chapter),
there can be two situations:
<orderedlist>
<listitem>
<para>
There is already Keycloak user account linked with the authenticated identity provider account. In this case,
Keycloak will just authenticate as the existing user and redirect back to application (step 9 in <linklinkend="identity-broker-overview">Overview</link> chapter).
</para>
</listitem>
<listitem>
<para>
There is not yet existing Keycloak user account linked with the identity provider account. This situation is more tricky.
Usually you just want to register new account into Keycloak database, but what if there is existing Keycloak account with same email like the identity provider account?
Automatically link identity provider account with existing Keycloak account is not very good option as there are possible security flaws related to that...
</para>
</listitem>
</orderedlist>
</para>
<para>
Because we had various requirements what to do in second case, we changed the behaviour to be flexible and configurable
through <linklinkend="auth_spi">Authentication Flows SPI</link>. In admin console in Identity provider settings, there is option
<literal>First Login Flow</literal>, which allows you to choose, which workflow will be used after "first login" with this identity provider account.
By default it points to <literal>first broker login</literal> flow, but you can configure and use your own flow and use different flows for different identity providers etc.
</para>
<para>
The flow itself is configured in admin console under <literal>Authentication</literal> tab. When you choose <literal>First Broker Login</literal> flow,
you will see what authenticators are used by default. You can either re-configure existing flow (For example disable some authenticators,
mark some of them as <literal>required</literal>, configure some authenticators etc). Or you can even create new authentication flow and/or
write your own Authenticator implementations and use it in your flow. See <linklinkend="auth_spi">Authentication Flows SPI</link> for more details on how to do it.
</para>
<para>
For <literal>First Broker Login</literal> case, it might be useful if your Authenticator is subclass of <literal>org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator</literal>
so you have access to all details about authenticated Identity provider account. But it's not a requirement.
</para>
<section>
<title>Default First Login Flow</title>
<para>
Let's describe the default behaviour provided by <literal>First Broker Login</literal> flow. There are those authenticators:
<variablelist>
<varlistentry>
<term>Review Profile</term>
<listitem>
<para>
This authenticator might display the profile info page, where user can review his profile retrieved from identity provider.
The authenticator is configurable. You can set <literal>Update Profile On First Login</literal> option.
When <literal>On</literal>, users will be always presented with the profile page asking for additional information
in order to federate their identities. When <literal>missing</literal>, users will be presented with
the profile page only if some mandatory information (email, first name, last name) is not provided by identity provider.
If <literal>Off</literal>, the profile page won't be displayed, unless user clicks in later phase on <literal>Review profile info</literal>
link (page displayed in later phase by <literal>Confirm Link Existing Account</literal> authenticator)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Create User If Unique</term>
<listitem>
<para>
This authenticator checks if there is already existing Keycloak account with same email or username like
the account from identity provider. If it's not, then authenticator just creates new Keyclok account and
link it with identity provider and whole flow is finished. Otherwise it goes to the next <literal>Handle Existing Account</literal> subflow.
If you always want to ensure that there is no duplicated account, you can mark this authenticator as <literal>REQUIRED</literal> .
In this case, the user will see the error page if there is existing Keycloak account and user needs
to link his identity provider account through Account management.
</para>
<para>
This authenticator also has config option <literal>Require Password Update After Registration</literal> .
When enabled, user is required to update password after account is created.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Confirm Link Existing Account</term>
<listitem>
<para>
User will see the info page, that there is existing Keycloak account with same email. He can either
review his profile again and use different email or username (flow is restarted and goes back to <literal>Review Profile</literal> authenticator).
Or he can confirm that he wants to link identity provider account with his existing Keycloak account.
Disable this authenticator if you don't want users to see this confirmation page, but go straight
to linking identity provider account by email verification or re-authentication.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Verify Existing Account By Email</term>
<listitem>
<para>
This authenticator is <literal>ALTERNATIVE</literal> by default, so it's used only if realm has SMTP setup configured.
It will send mail to user, where he can confirm that he wants to link identity provider with his Keycloak account.
Disable this if you don't want to confirm linking by email, but instead you always want users to reauthenticate with their password (and alternatively OTP).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Verify Existing Account By Re-authentication</term>
<listitem>
<para>
This authenticator is used if email authenticator is disabled or non-available (SMTP not configured for realm). It
will display login screen where user needs to authenticate with his password to link his Keycloak account with Identity provider.
User can also re-authenticate with some different identity provider, which is already linked to his keycloak account.
You can also force users to use OTP, otherwise it's optional and used only if OTP is already set for user account.