login_hint issue #41
Comments
|
The closest to what you are asking is whr parameter (see http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html, Section 13.2.2). whr is ..."parameter indicates the account partner realm of the client. This parameter is used to indicate the IP/STS address for the requestor", meaning that it is the same for all users in a group, whereas the OpenID Connect standard (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest, section 3.1.2.1) defines a more flexible login_hint as "Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service". The current WsFed implementation is in conformance with the original WsFederation specs and does not handle non-standard parameters embedded in a signin request. That being said, one option can be to have a configuration option that can turn on/enable non-standard parameter handling. Another possible solution is to add a custom implementation of WsFed (e.g. "WsFederation for Keycloak") |
Hi,
We would like to raise a question about the support for passing a login_hint to Keycloak via the keycloak wsfed implementation.
Let me discuss our setup and what we are trying to achieve.
We have an on premise Microsoft Active Directory Federation Services (ADFS). Some of our identities are stored in Azure B2C. Unfortunately there is no possibility to link ADFS directly with Azure B2C, therefore we have put Keycloak in between. We are aware that Microsoft is working on federating ADFS directly with Azure B2C, but it's still in private preview.
ADFS -> keycloak: keycloak is identity provider for ADFS, ADFS is defined as client on keycloak.
keycloak -> Azure B2C: Azure B2C is identity provider for keycloak.
We have customized the home realm detection on ADFS in order to dispatch the user to the correct identity provider, based upon their username. (e.g. internal employees to our Active Directory, other users to Azure B2C, ...)
In this case we are experiencing an issue impacting the end user experience, because we are unable to pass the username (via login_hint) from the ADFS home realm detection to Azure B2C login page. This causes end users to require entering their username twice. Once on the ADFS signin page (home real detection), and a 2nd time on the Azure B2C login page on which they land after being redirected from the ADFS HRD.
In a previous version of our setup Keycloak was federated with ADFS via SAML-P, but we got indications from Microsoft that it was not possible to pass a login_hint via SAML-P. Via wsfed it's possible to pass the login_hint from ADFS over WS federation.
In recent versions of keycloak it's also possible to pass the login_hint to the identity provider (Azure B2C) defined in Keycloak.
Unfortunately it seems that the login_hint is passed to keycloak but, is not processed. The login_hint is lost at the first wsfed request on keycloak.
Any advise on this topic?
Request on ADFS containing login_hint
1st request on keycloak containing login_hint... but in subsequent requests the login_hint is lost
The text was updated successfully, but these errors were encountered: