Hey all,
just enabled organization for a clean keycloak realm. I setup the organization with a domain foo.com and created an example John Doe user with an email ending in foo.com - no credentials are set for this John Doe User. I linked an external identity provider (Microsoft) to the organization and set it to automatically redirect to it once the domain matches. So far so good.
When I try to login to account-console with my John Doe user:
- I enter the email (ending in
foo.com) - I click “Sign In”
- I get redirected to external identity provider → GREAT!
Problem comes if I add credentials to my John Doe user. I add password credentials and save them. I do nothing else but add password credentials - I make NO changes to organization, identity provider or anything besides adding password to my John Doe user.
Then I try to login to account-console:
- I enter John Doe’s email (ending in
foo.com) - I click on “Sign In”
- now password field appears and I am forced to login with password.
In my case I want to always use identity provider added to the organization, regardless of users credentials. Is that possible?
Bonus: users that aren’t added to organization should still be able to login whatever way they want.