-
Notifications
You must be signed in to change notification settings - Fork 22
Configuring the Authentication Flow
In the previous step we have configured User Name property to be set with the value of the fiscalNumber SAML assertion. This is because we want users to authenticate with any SPID IdP and not have different accounts created each time they access Keycloak (remember SPID uses Transient NameIDs, so we can't rely users on having the same NameID each time they login).
If an existing user logs in with the same username/email from a different IdP, however, Keycloak will by default trigger an Existing Account Verification step. We obviously don't want that, as we trust the information from SPID IdPs and we want the account to be joined automatically.
This problem can be solved by defining a custom Authentication Flow.
In the Keycloak admin UI, select the Authentication config item. In the Flows tab, select First Broker Login and then click Copy. Set the name of the new flow to First Broker Login (SPID).
Now we need to tell Keycloak we want to use the newly created Authentication Flow in the SPID IdPs. In the Identity Providers screen, edit each Identity Provider's configuration and set the First Login Flow parameter to the First Broker Login (SPID) value.