Keycloak (https://www.keycloak.org/) authentication based on an idp broker attribute.
This custom Idp Authenticator allows you to perform authentication comparing a local user attribute value with an Idp Broker attribute.
Download keycloak-userattribute-authenticator.jar from Releases page.
Then deploy it into $KEYCLOAK_HOME/standalone/deployements directory.
In the Keycloak admin UI, select the Authentication config item. In the Flows tab, select First Broker Login and then click Copy. Set the authentication flow name to the desired one.
Find the Handle Existing Account entry and click on the Actions command on the right, then select Add Execution. Choose the provider Verify Existing Account By Attribute and click Save.
Set the Verify Existing Account By Attribute radio button to Required and remove all unnecessary authentication actions from the flow.
Now it is necessary to configure the action by selecting configure from the right menu.
-
Alias: enter a name for the authenticator. -
Broker Idp attribute name: enter the name of Broker Idp attribute. -
Optional RegEx pattern: enter an optional regular expression to filter attribute value. -
Optional RegEx matcher group index: enter an optional index of matcher group. Default is 0. -
Transform to Upper Case: [ON] Transform Broker Idp attribute value in upper case. [OFF] Leave unchanged. -
User attribute name: enter the name of user attribute to compare with.
Now we have to configure Keycloak to use the newly created authentication flow in the Idps of our interest. On the Identity Providers screen, change the identity provider configuration and set the First Login Flow parameter to the flow you just created.
Clone this repository and run mvn clean package.
You can see keycloak-userattribute-authenticator.jar under target directory.