[Feature] OrganizationID (or any other string) instead of email domain

[SangI762]

Is there an existing feature request for this?

• I have searched the existing issues

Is your feature related to a problem? Please describe.

Wondering, is it possible to add an option to get predefined IDPs by OrganizationID for example instead of email domain. It could be a custom form field to enter string value.
This is needed for security reasons, because email domain itself expose data that this particular company is our client and could be targeted by our opponents. Also we expose what IDP that company uses.

Describe the solution you'd like

I'd like to have an option what to use to map IDP: selector by email domain or selector by specific string value from additional field.

Describe alternatives you've considered

No response

Anything else?

No response

[sventorben]

Hello @SangI762,

thanks for the feature request. Yes, it is possible in general, because most of the functionality is already there.
However, adding a form field would require to add a custom login page template. Currently I am reusing the default username field from Keycloak. With this I get all the new features for free and maintanence cost is very low.
Do you need it a separate field?

If you could use a syntax like username@OrganizationID, everything should work out of the box.
You would need to add a user attribute named OrganizationID to your users with a value of the corresponding id prefixed with an @ sign. Let's assume the OrganizationID is org-123 then the value would be @org-123.
If your identity provider only handles a single OrganizationID, you could easily add that attribute with an identity provider mapper of type Hardcoded Attribute.
Configure the Home IdP Discovery authenticator to use the user attribute OrganizationID. In the identity provider add org-123 as a domain name.

With this setup your users can use username@OrganizationID for the login and should get redirected to the home idp.

What do you think?

[SangI762]

Hey, @sventorben, thanks for suggestion, yes, I think majority of use cases could be covered by proposed flow. So at the moment I think we're good. Thanks.

[vukomir]

Hi,

I'm also interested in this approach to get get predefined IDPs by OrganizationID or by IDP Disaplay name from keycloak configuration.

[sventorben]

What do you mean by IDP display name? How would this be different from the buttons that are displayed by default?

[vukomir]

sorry for the late response @sventorben.
instead of disabling all of the existing providers or doing discovery based on the email address, the flow can be like:

1. login with username and password (normal flow)
2. login with your Company ID

when a user selects login with your Company ID he will be redirected to a screen where he needs to input his company ID and this will be the Alias/Client ID depending on the typo of the provider that was created

SAML v2.0 - Alias (The alias uniquely identifies an identity provider and it is also used to build the redirect uri.)
Facebook - Client ID (The client identifier registered with the identity provider.)

hope that this info helps.