Organization selection via social IDP login

We have a setup where a single user can belong to multiple organizations, and we support social login via an external Identity Provider (IDP) (such as Microsoft). This IDP is shared across all organizations, meaning it is not tied to any specific one.

When a user logs in using the social IDP, we want Keycloak to prompt them to select an organization after the IDP authentication is successful. This is important because their session needs to be associated with a specific organizational context (e.g., for multi-tenancy, permissions, or routing purposes).

However, this organization selection step does not appear after the IDP login completes, and the user is simply logged in without context.

Is it possible to configure Keycloak to trigger an organization selection screen after a user logs in via a social IDP, especially in cases where:

• The same user exists across multiple organizations
• The organization cannot be inferred directly from the IDP identity

If yes, how can this be achieved within Keycloak?
We’ve tried customizing the First Broker Login flow by:

• Duplicating it
• Enabling Automatically Link Existing User
• Adding a custom step for Organization Onboarding

…but this flow still does not show the organization selection screen after login. Are we missing a configuration or step to make this work?

First, I have to say that I don’t have experience with the organizations feature in Keycloak, so these are just some thoughts on the subject.

I believe you have to implement a Custom Authenticator that prompts users to select their organization. The current version of Keycloak automatically assigns an organization to a user based on their email domain (Server Administration Guide).

As I tested, it’s not possible to link the same Identity Provider to multiple organization entities in Keycloak. So, from Keycloak’s perspective, if a single IdP is shared across multiple organizations, it treats them as one and cannot dynamically assign users to different organizations.

You can implement a Custom Authenticator that displays a form allowing the user to choose their organization and set the user’s organization in Keycloak based on their selection. However, I don’t think it’s a good idea. Keep in mind that this would only work during the First Broker Login flow — i.e., the first time a user logs in via the IdP (account linking). After that, the authenticator will no longer be triggered because the Browser flow does not continue after the Identity Provider Redirector step. This is due to the following:

• Ability to continue with "browser" authentication flow after Identity provider login · Issue #10250 · keycloak/keycloak · GitHub

• Continue client browser flow after User login from Identity Provider by cgeorgilakis · Pull Request #12891 · keycloak/keycloak · GitHub