-
Notifications
You must be signed in to change notification settings - Fork 22
Configuring the Authentication Flow
In the previous step we have configured User Name property to be set with the value of the fiscalNumber SAML assertion. This is because we want users to authenticate with any SPID IdP and not have different accounts created each time they access Keycloak (remember SPID uses Transient NameIDs, so we can't rely users on having the same NameID each time they login).
If an existing user logs in with the same username/email from a different IdP, however, Keycloak will by default trigger an Existing Account Verification step. We obviously don't want that, as we trust the information from SPID IdPs and we want the account to be joined automatically.
This problem can be solved by defining a custom Authentication Flow.
In the Keycloak admin UI, select the Authentication config item. In the Flows tab, select First Broker Login and then click Copy. Set the name of the new flow to First Broker Login (SPID).
Find the First Broker Login (SPID) Handle Existing Account entry and click on the Actions command on the right, then select Add Execution. Choose the provider Automatically Set Existing User and click Save. With the up/down arrows, move the new execution above the Confirm Link Existing Account entry.
Now, set the Automatically Set Existing User Requirement radio button to Required and both the Confirm Link Existing Account and the First Broker Login Account (SPID) Verification Options radio buttons to Disabled.
Now we need to tell Keycloak we want to use the newly created Authentication Flow in the SPID IdPs. In the Identity Providers screen, edit each Identity Provider's configuration and set the First Login Flow parameter to the First Broker Login (SPID) value.
Congratulations! This was the last configuration step, we can now proceed to trigger a SPID login and test the login process.