Keycloak - Customer uses multiple email domains on one IdP. How do I configure the IdP in Keycloak to reconize both domains?
Note: We are currently using Keycloak 3.4.3. I know. It's way out of date.
We have few customers using SSO integration (SAML and OIDC) to login to our application. A customer is using Azure AD (SAML) for their identity provider. We have an identity provider configuration set up that works with one email domain. They want to add a second email domain with the same identity provider.
They've added users with the new email domain, but when you enter the email address in the "Login with an organization account" form (for third party login) you get a "Please enter a valid customer email address." message.
Invalid email address image
I believe with newer versions of Keycloak you can add additional domains to an IdP setup under the Authentication section of Keycloak. I'm not sure if this is possible with this old version of Keycloak, but hoping someone can help. I'd love to upgrade to the latest version, but we'll be moving to a completely new application later next year, so unfortunately we're not spending time to upgrade it.
I tried setting up an authentication flow using the identity provider redirector auth type, setting the alias as the additional email domain name, and the default identity provider to the alias of the current IdP configuration. But that didn't work.
authentication flow image
I ended up getting on a call with our customer and worked out a simple solution. They were able to add another end point in Azure, and sent me the configuration URL. I just created a second identity provider entry for their other email domain, imported the config, and it worked.
In the Keycloak IDP configuration, other than the alias and redirect URI, everything is identical to the other domain configuration. The validating X509 Certificates does have some extra data, but that's it.