Disabling "Update account information" dialog when brokering using Keycloak

calendar Oct 8, 2023 · 2 min read · SAML  ·
Share on: linkedin copy

Overview

Building on my blog on using SAML in a SPA lets dig into a problem many seem to encounter when using keycloak and which to have i more or less like a transparent broker or proxy for authentication.

The setup

Lets take the setup in the post Authenticating a React SPA towards a SAML IdP as any example. This sets up a simple integration between a React Javascript SPA and a ADFS SAML IdP. As the React SPA does not talk SAML but OIDC, we are using Keycloak as a broker to translate between the two protocols.

sequenceDiagram
    participant Application
    participant Keycloak SP
    participant ADFS IdP
    Application->>Keycloak SP: OIDC request
    Keycloak SP->>ADFS IdP: SAML request
    ADFS IdP->>Keycloak SP: SAML response
    Keycloak SP->>Application: OIDC response

The problem

Now if you don't do any special configuration of the Authentications flows of Keycloak, when a user authenticates for the first time, they will be asked to update their profile, on the "Update account information" page like the one below, before continuing to the service.

Update account information dialog

In many cases you do not want the user to se this dialog, but just be redirected straight to the service after authentication.

Disabling the "Update account information" page

Under Authentication -> Flows in Keycloak admin, behaviors like this can be controlled. For this case we want to edit the "First Broker Login" flow. This controls different steps that is done when a user authenticated for the first time when using Keycloak as a broker.

Select "First broker login" flow and click disable for the first step named "Review Profile"

Disable profile review

To configure the IdP redirection and disabling of the profile review in Keycloak CLI 

1reviewProfileExecution=$(kcadm.sh get /authentication/flows/first%20broker%20login/executions -r oidcrealm | jq -r '.[] | (select(.alias == "review profile config") | .requirement) |= "DISABLED" | select(.alias == "review profile config")')
2kcadm.sh update authentication/flows/first%20broker%20login/executions -r oidcrealm -f - << EOF
3$reviewProfileExecution
4EOF

After this user will be directed straight to the service without being shown the "" dialog.