Comments (5)
anarsultanov
commented on June 14, 2024
Hi @HanifAbRazak,
To link a created tenant to an Identity Provider (IDP), you should use the PUT /admin/realms/{realm}/identity-provider/instances/{alias} endpoint. Ensure that you include the full body obtained from a GET request to the same endpoint, and add the multi-tenancy.tenants configuration.
Here's an example:
PUT /admin/realms/{realm}/identity-provider/instances/{alias}
{
"alias": "{alias}",
"config": {
"clientId": "{clientId}",
"clientSecret": "{clientSecret}",
"multi-tenancy.tenants": "tenant-1-id,tenant-2-id",
// Other configuration properties...
},
// Other properties...
}
Hope this helps!
from keycloak-multi-tenancy.
HanifAbRazak
commented on June 14, 2024
Thank you for your reply, I successfully register the tenant to the IdP.
However based on my testing, the behavior of the IdP does not match the descriptions as the documentation.
"With tenant-specific IDP configuration, the IDP limits access to only the tenants listed in the configuration. If a user logs in with the IDP but isn't a member of any of these specified tenants, and automatic membership creation isn't configured, an error will occur".
I create tenants called "99x" and "lol" and linked 1 user to each tenant with tenant membership.
Then, link "99x" tenant to "microsoft" IdP.
Based on my testing, both users able to use the IdP even though the description said it should have some kind of error if using it if the user is not part of the tenant.
Please advice.
Also, just wondering if we can limit which IdP to show to the user in the UI based on IdP linked to their tenant membership?
Screenshots
from keycloak-multi-tenancy.
anarsultanov
commented on June 14, 2024
Thank you for providing additional details, but it appears there might be a misunderstanding.
It's important to note that you cannot control which users can "use" the IdP, as any user linked to it is allowed to log in. What you can control is access to the specific tenant.
For example, if you have tenants named "99x" and "lol" with one user linked to each tenant through tenant membership, and you link the "99x" tenant to the "microsoft" IdP, both users can log in using the IdP if they exist in the IdP. However, only the user linked to the "99x" tenant will be able to proceed with authentication to the associated tenant, while the other user will encounter an error.
To better understand this behavior, you can refer to the IdentityProviderIntegrationTest, which includes tests that illustrate these scenarios.
As for limiting IdP visibility in the UI based on tenant membership, if you're referring to the login page, this will not be possible since users are not yet logged in, and their tenant memberships are not known. However, you can consider using the Login with SSO authenticator instead of listing IdPs directly, as outlined in the README.
from keycloak-multi-tenancy.
github-actions
commented on June 14, 2024
This issue is stale because it has been open for 30 days with no activity. If this issue still applies please comment otherwise it will be closed in 7 days.
from keycloak-multi-tenancy.
github-actions
commented on June 14, 2024
This issue was closed because it has been inactive for 7 days since being marked as stale.
from keycloak-multi-tenancy.
Related Issues (18)
- Multi-Tenancy Unknown error on enabling Tenant creation in Authentication HOT 10
- Unique password policy for each tenant HOT 5
- Enhancement Request: Use of Action Token for Invitation Evaluation Triggers HOT 12
- Enhancement Request: Implement Role-Based Access Control for Tenant Creation Endpoint HOT 4
- REALM_ID, USER_ID, TENANT_ID with wrong varchar length HOT 1
- Unable to remove membership HOT 3
- Dependency Dashboard HOT 1
- Error when calling membership endpoint with search query HOT 3
- API returns 401 HOT 1
- Rename a tenant HOT 1
- Feature Request: Customizable Terminology for Multi-Tenancy in Keycloak HOT 1
- OpenAPI/Swagger documentation HOT 1
- Authenticator flow setup with IdpTenantMembershipsCreatingAuthenticator HOT 6
- Problem trying to remove tenant HOT 1
- Invitation link HOT 11
- Feature request - Include resource ID in all API POST endpoints HOT 3
- CORS issue when calling endpoints directly from my app HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keycloak-multi-tenancy.