Hi,
We would like to raise a question about the support for passing a login_hint to Keycloak via the keycloak wsfed implementation.
Let me discuss our setup and what we are trying to achieve.
We have an on premise Microsoft Active Directory Federation Services (ADFS). Some of our identities are stored in Azure B2C. Unfortunately there is no possibility to link ADFS directly with Azure B2C, therefore we have put Keycloak in between. We are aware that Microsoft is working on federating ADFS directly with Azure B2C, but it's still in private preview.
ADFS -> keycloak: keycloak is identity provider for ADFS, ADFS is defined as client on keycloak.
keycloak -> Azure B2C: Azure B2C is identity provider for keycloak.
We have customized the home realm detection on ADFS in order to dispatch the user to the correct identity provider, based upon their username. (e.g. internal employees to our Active Directory, other users to Azure B2C, ...)
In this case we are experiencing an issue impacting the end user experience, because we are unable to pass the username (via login_hint) from the ADFS home realm detection to Azure B2C login page. This causes end users to require entering their username twice. Once on the ADFS signin page (home real detection), and a 2nd time on the Azure B2C login page on which they land after being redirected from the ADFS HRD.
In a previous version of our setup Keycloak was federated with ADFS via SAML-P, but we got indications from Microsoft that it was not possible to pass a login_hint via SAML-P. Via wsfed it's possible to pass the login_hint from ADFS over WS federation.
In recent versions of keycloak it's also possible to pass the login_hint to the identity provider (Azure B2C) defined in Keycloak.
Unfortunately it seems that the login_hint is passed to keycloak but, is not processed. The login_hint is lost at the first wsfed request on keycloak.
Any advise on this topic?
Hi,
We would like to raise a question about the support for passing a login_hint to Keycloak via the keycloak wsfed implementation.
Let me discuss our setup and what we are trying to achieve.
We have an on premise Microsoft Active Directory Federation Services (ADFS). Some of our identities are stored in Azure B2C. Unfortunately there is no possibility to link ADFS directly with Azure B2C, therefore we have put Keycloak in between. We are aware that Microsoft is working on federating ADFS directly with Azure B2C, but it's still in private preview.
ADFS -> keycloak: keycloak is identity provider for ADFS, ADFS is defined as client on keycloak.
keycloak -> Azure B2C: Azure B2C is identity provider for keycloak.
We have customized the home realm detection on ADFS in order to dispatch the user to the correct identity provider, based upon their username. (e.g. internal employees to our Active Directory, other users to Azure B2C, ...)
In this case we are experiencing an issue impacting the end user experience, because we are unable to pass the username (via login_hint) from the ADFS home realm detection to Azure B2C login page. This causes end users to require entering their username twice. Once on the ADFS signin page (home real detection), and a 2nd time on the Azure B2C login page on which they land after being redirected from the ADFS HRD.
In a previous version of our setup Keycloak was federated with ADFS via SAML-P, but we got indications from Microsoft that it was not possible to pass a login_hint via SAML-P. Via wsfed it's possible to pass the login_hint from ADFS over WS federation.
In recent versions of keycloak it's also possible to pass the login_hint to the identity provider (Azure B2C) defined in Keycloak.
Unfortunately it seems that the login_hint is passed to keycloak but, is not processed. The login_hint is lost at the first wsfed request on keycloak.
Any advise on this topic?
Request on ADFS containing login_hint
1st request on keycloak containing login_hint... but in subsequent requests the login_hint is lost
