Home IdP Discovery - Introduction
This is a simple Keycloak authenticator to redirect users to their home identity provider during login.
What is it good for?
When a federated user wants to log in via Keycloak, Keycloak will present a username/password form and a list of configured identity providers to the user. The user needs to choose an identity provider to get redirected. This authenticator allows to skip the step of selecting an identity provider.
How does it work?
If this authenticator gets configured as part of a browser based login flow, Keycloak will present a username form (without password form and without list of configured identity providers). A user can then enter an email address. Keycloak will then choose an identity provider based on the domain part of the provided email address and forward the user to the chosen provider.
The identity provider will be chosen by the following preference:
- If the
forwardToLinkedIdpconfig option is enabled- Use the first linked identity provider with matching domain
- Use the first linked identity provider
- Use non-linked identity provider with matching domain
- If the
forwadToLinkedIdpconfig option is disabled- Use the first identity provider with matching domain
Only enabled and not link-only identity providers will be considered.