Identity Providers

Within this tab, you can add various Identity Providers.

With ZTrust, end users can log in through their preferred social media accounts.

This functionality will be activated upon adding the necessary details within the Identity Providers tab.

To select different Identity Providers, click Add provider and choose the desired option from the dropdown menu.

Name

It refers to the name of the provider

Provider

It specifies the provider.

Enabled

This setting has two values: True or False.

• When set to True, the Identity Provider is enabled.

• When set to False, the Identity Provider is disabled.

Hidden

This setting can be either True or False.

When True, it permits login with this provider only if explicitly requested.

When set to False, there are no such restrictions.

Link Only

This setting can be either True or False.

When set to True, it prevents users from directly logging in through this provider. They can only link their account to this provider.

This is useful if you want to integrate with a provider but do not want to permit direct login.

When set to False, there are no such restrictions.

GUI Order

It pertains to the arrangement of the available identity providers on the login page.

Actions

It includes the actions that can be performed for the Identity Provider, such as Edit or Delete.

Edit

If you want to perform any modifications for the particular Identity Provider, click on Edit.

Delete

If you do not want the Identity Provider any more, and you want to remove the Identity Provider, click on Delete.

Upon clicking Delete, you will receive a confirmation prompt as shown below.

Click on Delete if you want to proceed with removing the Identity Provider, otherwise click on Cancel.

After clicking on Edit, you will be redirected to the below screen

Redirect URI

This indicates the redirect URI that must be used when configuring the Identity Provider.

This field cannot be edited.

Client ID

It refers to the Client Identifier that is registered with the Identity Provider.

Client Secret

It specifies the client secret that is registered with the Identity Provider.

Hosted Domain

This configures the 'hd' query parameter when logging in with Google.

Google will display accounts only for the specified domain.

ZTrust will verify that the returned identity token includes a claim for this domain. When '*' is entered, any hosted account can be used.

Use userlp Param

This toggle button, when activated (toggled ON), includes the userIp query parameter when accessing Google's User Info service, utilizing the user's IP address.

This is beneficial if Google is limiting access to the User Info Service.

When deactivated (toggled OFF), the user's IP Address is not utilized.

You can toggle it ON or OFF according to your needs.

Request refresh token

This toggle button, when activated (toggled ON), includes the 'access_type' query parameter set to 'offline' when redirecting to the Google authorization endpoint.

This allows for obtaining a refresh token back, which is useful for Token Exchange to retrieve Google tokens for accessing Google APIs when the user is not in the browser.

When deactivated (toggled OFF), this feature is disabled.

You can toggle it ON or OFF according to your needs.

Default Scopes

It refers to the scopes that need to be included when requesting authorization.

Store Tokens

This toggle button, when activated (toggled ON), indicates that tokens should be stored after authenticating users.

When deactivated (toggled OFF), tokens should not be stored after authenticating users.

You can adjust it according to your needs by toggling it ON or OFF.

Stored Tokens Readable

This toggle button, when activated (toggled ON), allows new users to read any stored tokens.

This also assigns the broker read-token role.

When deactivated (toggled OFF), new users cannot read any stored tokens.

You can adjust it according to your needs by toggling it ON or OFF.

Enabled

This toggle button, when activated (toggled ON), enables this Identity Provider.

When deactivated (toggled OFF), it disables this Identity Provider.

You can adjust it according to your needs by toggling it ON or OFF.

Accepts prompt=none forward from client

This toggle button, when activated (toggled ON), forwards the request with prompt=none to this identity provider if the client sends such a request and the user is not yet authenticated.

This prevents the error from being directly returned to the client.

When deactivated (toggled OFF), this feature is disabled.

You can enable or disable it according to your needs.

Disable User Info

This toggle button, when activated (toggled ON), prohibits the usage of the User Info service to acquire additional user information.

When deactivated (toggled OFF), there is no such restriction in place.

The default setting will be to utilize the OIDC Service.

You can adjust it according to your needs by toggling it ON or OFF.

Trust Email

This toggle button, when activated (toggled ON), disregards email verification even if it's enabled for this realm.

When deactivated (toggled OFF), email verification is required.

You can adjust it according to your needs by toggling it ON or OFF.

Account Linking Only

When activated (toggled ON), this toggle button prevents users from logging in through this provider. They can only link their account to this provider. This is useful if you want to integrate with a provider but don't want to allow direct login.

When deactivated (toggled OFF), there is no such restriction.

You can adjust it according to your needs by toggling it ON or OFF.

Hide on Login Page

This toggle button, when activated (toggled ON), allows login with this provider only if requested explicitly.

When deactivated (toggled OFF), there is no such restriction.

You can adjust it according to your needs by toggling it ON or OFF.

GUI order

It pertains to the arrangement of the available identity providers on the login page.

First Login Flow

This refers to the authentication flow that occurs after the initial login with this identity provider. First Login indicates that there is currently no Keycloak account linked to the authenticated identity provider account.

Post Login Flow

This refers to the authentication flow triggered after each login with this Identity Provider. It's helpful if you want additional verification for each user authenticated with this Identity Provider.

If you don't want any additional authenticators to be triggered after login with this Identity Provider, you can leave this field empty.

Sync Mode

This pertains to the default synchronization mode for all mappers. The sync mode dictates when the user data will be synchronized using the mappers. The possible values are:

• Legacy: Maintains the behavior prior to the introduction of this option.

• Import: Imports the user data once during the first login of the user with this identity provider.

• Force: Always updates the user data during every login with this Identity Provider.

Save

If you want to implement those modifications made, click on Save.

Reset

If you decide not to apply the changes, click on Reset to discard them.

Mappers

You can search for any particular mapper through the Search box option.

Create

To create any new mappers, click on Create.

Name

It specifies the name of the mapper.

Sync Mode Override

This setting allows you to override the default sync mode of the Identity Provider for this specific mapper. The available values are:

• Legacy: Maintains the behavior before this option was introduced.

• Import: Imports the user only once during the first login of the user with this identity provider.

• Force: Always updates the user during every login with this identity provider.

• Inherit: Utilizes the sync mode defined in the identity provider for this mapper.

Mapper Type

It indicates the type of mapper being created.

You can refer to the table below to observe the various types of mappers and their respective purposes.

Mapper Type	Description
Hardcoded User Session Attribute	When a user is imported from the provider, assign a predefined value to a particular user session attribute.
Hardcoded Role	When a user is imported from the provider, assign a role mapping to it with predefined values.
Attribute Importer	Import user profile information from Social Provider JSON data into the designated user attribute if it exists.
Hardcoded Attribute	When importing a user from a provider, assign a fixed value to a specific user attribute.
Username Template Importer	Specify the format for importing the username.

User Session Attribute

It refers to the name of the user session attribute you want to hardcode.

User Session Attribute Value

It specifies the value you want to hardcode.

The settings and fields will differ based on the type of mapper being created.

Save

If you want to create a mapper with the details mentioned above, click on Save to implement those changes.

Reset

If you decide not to apply the changes, click on Reset to discard them.

Upon clicking on Save, an ID for this mapper will be automatically generated.

The created mapper will be listed under the Mappers tab as depicted below.

Name

It specifies the name of the mapper.

Category

It indicates the category of the mapper.

Type

It indicates the type of mapper.