keycloak-scim/server_admin/topics/identity-broker/first-login-flow.adoc

[[_identity_broker_first_login]]

=== First Login Flow

When a user logs in through identity brokering some aspects of the user are imported and linked within the realm's local database.
When {project_name} successfully authenticates users through an external identity provider
there can be two situations:

* There is already a {project_name} user account imported and linked with the authenticated identity provider account.
  In this case, {project_name} will just authenticate as the existing user and redirect back to application.
* There is not yet an existing {project_name} user account imported and linked for this external user.
  Usually you just want to register and import the new account into {project_name} database, but what if there is an existing
  {project_name} account with the same email? Automatically linking the existing local account to the external
  identity provider is a potential security hole as you can't always trust the information you get from the external identity provider.

Different organizations have different requirements when dealing with some of the conflicts and situations listed above.
For this, there is a `First Login Flow` option in the IDP settings which allows you to choose a <<_authentication-flows, workflow>> that will be
used after a user logs in from an external IDP the first time.
By default it points to `first broker login` flow, but you can configure and use your own flow and use different flows for different identity providers.

The flow itself is configured in admin console under `Authentication` tab.
When you choose `First Broker Login` flow, you will see what authenticators are used by default.
You can re-configure the existing flow. (For example you can disable some authenticators, mark some of them as `required`, configure some authenticators, etc).

ifeval::[{project_community}==true]
You can also create a new authentication flow and/or write your own Authenticator implementations and use it in your flow.
See link:{developerguide_link}[{developerguide_name}] for more details.
endif::[]

==== Default First Login Flow

Let's describe the default behavior provided by `First Broker Login` flow.

Review Profile::
  This authenticator might display the profile info page, where the user can review their profile retrieved from an identity provider.
  The authenticator is configurable.
  You can set the `Update Profile On First Login` option.
  When `On`, users will be always presented with the profile page asking for additional information in order to federate their identities.
  When `missing`, users will be presented with the profile page only if some mandatory information (email, first name, last name) is not provided by the identity provider.
  If `Off`, the profile page won't be displayed, unless user clicks in later phase on `Review profile info` link (page displayed in later phase
  by `Confirm Link Existing Account` authenticator).

Create User If Unique::
  This authenticator checks if there is already an existing {project_name} account with the same email or username like the account from the identity provider.
  If it's not, then the authenticator just creates a new local {project_name} account and links it with the identity provider and the whole flow is finished.
  Otherwise it goes to the next `Handle Existing Account` subflow.
  If you always want to ensure that there is no duplicated account, you can mark this authenticator as `REQUIRED`. In this case, the user
  will see the error page if there is an existing {project_name} account and the user will need to link the identity provider account through Account management.

NOTE: If you want to skip the ability to create new users, but you want that users authenticated from identity provider must already exists in {project_name} with same username or email like the user from identity provider, you can create new flow and replace `Create User If Exists` authenticator with `Detect Existing Broker User` . More details in the <<Detect Existing User First Login Flow,examples below>>.
  
Confirm Link Existing Account::
  On the info page, the user will see that there is an existing {project_name} account with the same email.
  They can review their profile again and use different email or username (flow is restarted and goes back to `Review Profile` authenticator).
  Or they can confirm that they want to link their identity provider account with their existing {project_name} account.
  Disable this authenticator if you don't want users to see this confirmation page, but go straight to linking identity provider account by email verification or re-authentication.

Verify Existing Account By Email::
  This authenticator is `ALTERNATIVE` by default, so it's used only if the realm has SMTP setup configured.
  It will send email to the user, where they can confirm that they want to link the identity provider with their {project_name} account.
  Disable this if you don't want to confirm linking by email, but instead you always want users to reauthenticate with their password (and alternatively OTP).

Verify Existing Account By Re-authentication::
  This authenticator is used if email authenticator is disabled or not available (SMTP not configured for realm). It will display a login screen
  where the user needs to authenticate to link their {project_name} account with the Identity provider.
  User can also re-authenticate with some different identity provider, which is already linked to their {project_name} account.
  You can also force users to use OTP. Otherwise it's optional and used only if OTP is already set for the user account.

==== Automatically Link Existing First Login Flow
WARNING: The AutoLink authenticator would be dangerous in a generic environment where users can register themselves using arbitrary usernames/email addresses. Do not use this authenticator unless registration of users is carefully curated and usernames/email addresses are assigned, not requested.

In order to configure a first login flow in which users are automatically linked without being prompted, create a new flow with the following two authenticators:

Create User If Unique::
This authenticator ensures that unique users are handled. Set the authenticator requirement to "Alternative".

Automatically Set Existing User::
Automatically sets an existing user to the authentication context without any verification. Set the authenticator requirement to "Alternative".

NOTE: The described setup uses two authenticators. This setup is the simplest one, but it is possible to use other
authenticators according to your needs. For example, you can add the Review Profile authenticator to the beginning of the flow if you still want
end users to confirm their profile information. You can also add authentication mechanisms to this flow, forcing a user to verify his credentials. This
would require a more complex flow, for example setting the "Automatically Set Existing User" and "Password Form" as "Required" in an "Alternative" sub-flow.

[[_disabling_automatic_user_creation]]
==== Disabling Automatic User Creation
The Default first login flow will look up a Keycloak account matching the external identity, and will then offer to link them; if there is no matching Keycloak account, it will automatically create one.
This default behavior may be unsuitable for some setups, for example, when using read-only LDAP user store (which means all users are pre-created).
In this case, automatic user creation should be turned off. To disable user creation:

* open the `First Broker Login` flow configuration;
* set `Create User If Unique` to `DISABLED`;
* set `Confirm Link Existing Account` to `DISABLED`.

This configuration also implies that Keycloak itself won't be able to determine which internal account would correspond to the external identity.
Therefore, the `Verify Existing Account By Re-authentication` authenticator will ask the user to provide both username and password.

==== Detect Existing User First Login Flow
In order to configure a first login flow in which:

  - only users already registered in this realm can log in,
  - users are automatically linked without being prompted,

create a new flow with the following two authenticators:

Detect Existing Broker User::
This authenticator ensures that unique users are handled. Set the authenticator requirement to `Mandatory`.

Automatically Set Existing User::
Automatically sets an existing user to the authentication context without any verification. Set the authenticator requirement to `Mandatory`.

You have to set the `First Login Flow` of the identity provider configuration to that flow.
You could set the also set `Sync Mode` to `force` if you want to update the user profile (Last Name, First Name...) with the identity provider attributes.

NOTE: This flow can be used if you want to delegate the identity to other identity providers (such as github, facebook ...) but you want to manage which users that can log in.
google 2016-05-26 16:09:04 +00:00			`[[_identity_broker_first_login]]`

			`=== First Login Flow`

broker 2016-05-27 15:23:34 +00:00			`When a user logs in through identity brokering some aspects of the user are imported and linked within the realm's local database.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`When {project_name} successfully authenticates users through an external identity provider`
broker 2016-05-27 15:23:34 +00:00			`there can be two situations:`

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`* There is already a {project_name} user account imported and linked with the authenticated identity provider account.`
			`In this case, {project_name} will just authenticate as the existing user and redirect back to application.`
			`* There is not yet an existing {project_name} user account imported and linked for this external user.`
			`Usually you just want to register and import the new account into {project_name} database, but what if there is an existing`
			`{project_name} account with the same email? Automatically linking the existing local account to the external`
broker 2016-05-27 15:23:34 +00:00			`identity provider is a potential security hole as you can't always trust the information you get from the external identity provider.`

			`Different organizations have different requirements when dealing with some of the conflicts and situations listed above.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			For this, there is a `First Login Flow` option in the IDP settings which allows you to choose a <<_authentication-flows, workflow>> that will be
broker 2016-05-27 15:23:34 +00:00			`used after a user logs in from an external IDP the first time.`
Minor changes to identity brokering chapter. 2016-06-05 21:22:42 +00:00			By default it points to `first broker login` flow, but you can configure and use your own flow and use different flows for different identity providers.
google 2016-05-26 16:09:04 +00:00
			The flow itself is configured in admin console under `Authentication` tab.
			When you choose `First Broker Login` flow, you will see what authenticators are used by default.
Minor changes to identity brokering chapter. 2016-06-05 21:22:42 +00:00			You can re-configure the existing flow. (For example you can disable some authenticators, mark some of them as `required`, configure some authenticators, etc).
Hide mention about custom authenticator in prod 2016-06-10 07:15:59 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`ifeval::[{project_community}==true]`
Hide mention about custom authenticator in prod 2016-06-10 07:15:59 +00:00			`You can also create a new authentication flow and/or write your own Authenticator implementations and use it in your flow.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`See link:{developerguide_link}[{developerguide_name}] for more details.`
			`endif::[]`
google 2016-05-26 16:09:04 +00:00
			`==== Default First Login Flow`

requested changes 2019-01-21 16:38:32 +00:00			Let's describe the default behavior provided by `First Broker Login` flow.
google 2016-05-26 16:09:04 +00:00
			`Review Profile::`
requested changes 2019-01-21 16:38:32 +00:00			`This authenticator might display the profile info page, where the user can review their profile retrieved from an identity provider.`
google 2016-05-26 16:09:04 +00:00			`The authenticator is configurable.`
Minor changes to identity brokering chapter. 2016-06-05 21:22:42 +00:00			You can set the `Update Profile On First Login` option.
google 2016-05-26 16:09:04 +00:00			When `On`, users will be always presented with the profile page asking for additional information in order to federate their identities.
Minor changes to identity brokering chapter. 2016-06-05 21:22:42 +00:00			When `missing`, users will be presented with the profile page only if some mandatory information (email, first name, last name) is not provided by the identity provider.
broker 2016-05-27 15:23:34 +00:00			If `Off`, the profile page won't be displayed, unless user clicks in later phase on `Review profile info` link (page displayed in later phase
requested changes 2019-01-21 16:38:32 +00:00			by `Confirm Link Existing Account` authenticator).
google 2016-05-26 16:09:04 +00:00
			`Create User If Unique::`
requested changes 2019-01-21 16:38:32 +00:00			`This authenticator checks if there is already an existing {project_name} account with the same email or username like the account from the identity provider.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`If it's not, then the authenticator just creates a new local {project_name} account and links it with the identity provider and the whole flow is finished.`
google 2016-05-26 16:09:04 +00:00			Otherwise it goes to the next `Handle Existing Account` subflow.
requested changes 2019-01-21 16:38:32 +00:00			If you always want to ensure that there is no duplicated account, you can mark this authenticator as `REQUIRED`. In this case, the user
KEYCLOAK-4544 Detect existing user before granting user autolink 2020-10-26 22:33:20 +00:00			`will see the error page if there is an existing {project_name} account and the user will need to link the identity provider account through Account management.`
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-4544 Detect existing user before granting user autolink 2020-10-26 22:33:20 +00:00			NOTE: If you want to skip the ability to create new users, but you want that users authenticated from identity provider must already exists in {project_name} with same username or email like the user from identity provider, you can create new flow and replace `Create User If Exists` authenticator with `Detect Existing Broker User` . More details in the <<Detect Existing User First Login Flow,examples below>>.

google 2016-05-26 16:09:04 +00:00			`Confirm Link Existing Account::`
requested changes 2019-01-21 16:38:32 +00:00			`On the info page, the user will see that there is an existing {project_name} account with the same email.`
			They can review their profile again and use different email or username (flow is restarted and goes back to `Review Profile` authenticator).
			`Or they can confirm that they want to link their identity provider account with their existing {project_name} account.`
google 2016-05-26 16:09:04 +00:00			`Disable this authenticator if you don't want users to see this confirmation page, but go straight to linking identity provider account by email verification or re-authentication.`

			`Verify Existing Account By Email::`
broker 2016-05-27 15:23:34 +00:00			This authenticator is `ALTERNATIVE` by default, so it's used only if the realm has SMTP setup configured.
requested changes 2019-01-21 16:38:32 +00:00			`It will send email to the user, where they can confirm that they want to link the identity provider with their {project_name} account.`
google 2016-05-26 16:09:04 +00:00			`Disable this if you don't want to confirm linking by email, but instead you always want users to reauthenticate with their password (and alternatively OTP).`

			`Verify Existing Account By Re-authentication::`
requested changes 2019-01-21 16:38:32 +00:00			`This authenticator is used if email authenticator is disabled or not available (SMTP not configured for realm). It will display a login screen`
KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking 2020-02-25 02:18:04 +00:00			`where the user needs to authenticate to link their {project_name} account with the Identity provider.`
requested changes 2019-01-21 16:38:32 +00:00			`User can also re-authenticate with some different identity provider, which is already linked to their {project_name} account.`
Minor changes to identity brokering chapter. 2016-06-05 21:22:42 +00:00			`You can also force users to use OTP. Otherwise it's optional and used only if OTP is already set for the user account.`
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-7270 Support for automatically linking brokered identities 2018-07-24 21:25:40 +00:00			`==== Automatically Link Existing First Login Flow`
			`WARNING: The AutoLink authenticator would be dangerous in a generic environment where users can register themselves using arbitrary usernames/email addresses. Do not use this authenticator unless registration of users is carefully curated and usernames/email addresses are assigned, not requested.`

			`In order to configure a first login flow in which users are automatically linked without being prompted, create a new flow with the following two authenticators:`

			`Create User If Unique::`
requested changes 2019-01-21 16:38:32 +00:00			`This authenticator ensures that unique users are handled. Set the authenticator requirement to "Alternative".`
KEYCLOAK-7270 Support for automatically linking brokered identities 2018-07-24 21:25:40 +00:00
KEYCLOAK-11745 Multi-factor authentication documentation Co-authored-by: rpo <harture414@gmail.com> Co-authored-by: mposolda <mposolda@gmail.com> 2019-11-12 16:32:33 +00:00			`Automatically Set Existing User::`
			`Automatically sets an existing user to the authentication context without any verification. Set the authenticator requirement to "Alternative".`
KEYCLOAK-7270 Support for automatically linking brokered identities 2018-07-24 21:25:40 +00:00
Corrections and improvements suggested by @andymunro 2019-11-13 13:10:50 +00:00			`NOTE: The described setup uses two authenticators. This setup is the simplest one, but it is possible to use other`
KEYCLOAK-11745 Multi-factor authentication documentation Co-authored-by: rpo <harture414@gmail.com> Co-authored-by: mposolda <mposolda@gmail.com> 2019-11-12 16:32:33 +00:00			`authenticators according to your needs. For example, you can add the Review Profile authenticator to the beginning of the flow if you still want`
			`end users to confirm their profile information. You can also add authentication mechanisms to this flow, forcing a user to verify his credentials. This`
			`would require a more complex flow, for example setting the "Automatically Set Existing User" and "Password Form" as "Required" in an "Alternative" sub-flow.`
KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking 2020-02-25 02:18:04 +00:00
KEYCLOAK-13759 Upgrading guide 2020-04-08 17:42:20 +00:00			`[[_disabling_automatic_user_creation]]`
KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking 2020-02-25 02:18:04 +00:00			`==== Disabling Automatic User Creation`
			`The Default first login flow will look up a Keycloak account matching the external identity, and will then offer to link them; if there is no matching Keycloak account, it will automatically create one.`
			`This default behavior may be unsuitable for some setups, for example, when using read-only LDAP user store (which means all users are pre-created).`
			`In this case, automatic user creation should be turned off. To disable user creation:`

			* open the `First Broker Login` flow configuration;
			* set `Create User If Unique` to `DISABLED`;
			* set `Confirm Link Existing Account` to `DISABLED`.

			`This configuration also implies that Keycloak itself won't be able to determine which internal account would correspond to the external identity.`
KEYCLOAK-4544 Detect existing user before granting user autolink 2020-10-26 22:33:20 +00:00			Therefore, the `Verify Existing Account By Re-authentication` authenticator will ask the user to provide both username and password.

			`==== Detect Existing User First Login Flow`
			`In order to configure a first login flow in which:`

			`- only users already registered in this realm can log in,`
			`- users are automatically linked without being prompted,`

			`create a new flow with the following two authenticators:`

			`Detect Existing Broker User::`
			This authenticator ensures that unique users are handled. Set the authenticator requirement to `Mandatory`.

			`Automatically Set Existing User::`
			Automatically sets an existing user to the authentication context without any verification. Set the authenticator requirement to `Mandatory`.

			You have to set the `First Login Flow` of the identity provider configuration to that flow.
			You could set the also set `Sync Mode` to `force` if you want to update the user profile (Last Name, First Name...) with the identity provider attributes.

			`NOTE: This flow can be used if you want to delegate the identity to other identity providers (such as github, facebook ...) but you want to manage which users that can log in.`