Tags: idp, security, keycloak, sso, auth


In Kublr Keycloak identity broker it is possible to configure an external IdP (identity provider) and mark it as a default, which results in Kublr always redirecting to that identity provider for login and never showing Kublr login form.


Sometimes though it is necessary to still force displaying Kublr login form. Some examples include

  • external IdP misconfiguration prevents any users from logging into Kublr
  • external IdP is down


To force displaying Kublr login form in this situation use the following URL:


https://{KCP-address}/auth/realms/kublr-ui/protocol/openid-connect/auth?client_id=kublr-ui&redirect_uri=https%3A%2F%2F{KCP-address}%2Fui%2F&response_type=code&kc_idp_hint=


Note that there are two places in this URL where KCP domain name should be substituted, such as for example https://my-kcp.example.com/auth/realms/kublr-ui/protocol/openid-connect/auth?client_id=kublr-ui&redirect_uri=https%3A%2F%2Fmy-kcp.example.com%2Fui%2F&response_type=code&kc_idp_hint=


This technique is described in Keycloak documentation in the "Client-suggested Identity Provider" section