Does FusionAuth Support Cascading Identity Providers?
-
Keycloak allows for cascading or chained Identity Providers, where the authentication process starts with the first configured provider and continues down the chain until a user is successfully authenticated or all providers fail. Does FusionAuth have a comparable feature?
-
FusionAuth does not have a cascading Identity Provider (IdP) feature like Keycloak. Once an IdP is enabled for a FusionAuth application, it is available to all users logging into that application, and all enabled IdPs appear on the application’s login page, unless you modify the theme to change default behavior.
However, FusionAuth offers a feature somewhat similar to cascading IdPs: Managed Domains for Identity Providers. Here’s how it works:
- On the login page, users are initially prompted to enter their email address.
- Based on the email domain, FusionAuth automatically redirects the user to a specific IdP or to the standard username/password login.
- For example, users with @company.com could be directed to a corporate SAML IdP for authentication, while other domains can be mapped to different IdPs or the default login flow.
Key Differences:
- Predefined associations: You must configure email domains to map to specific IdPs beforehand.
- No chaining logic: FusionAuth does not attempt multiple IdPs sequentially during a single login attempt.
While Managed Domains is not equivalent to cascading IdPs, it is the closest feature FusionAuth provides for streamlining authentication based on user characteristics.
-
W wesley has marked this topic as solved