keycloak-aws VS keycloak-documentation

To demonstrate the key differences between OIDC and SAML, I have created a small repo that allows to deploy Keycloak on an EC2 instance and then configure the SAML and OIDC clients to use with AWS. For those unfamiliar with Keycloak, it is an open source Identity and Access Management tool sponsored by RedHat and widely used by many of our customers and ourselves as an identity provider. Among other features, Keycloak supports SAML and OIDC protocols for identity management and provides user federation via LDAP that allows to use it with an existing user base from an Active Directory. After deployment of Keycloak and configuring the SAML and OIDC clients, we can use Keycloak to login into AWS. The SAML login can be performed by going to https://auth.\${TF\_VAR\_root\_dn}/realms/awsfed/protocol/saml/clients/amazon-aws where ${TF_VAR_root_dn} is the subdomain you need to create before the deployment. After entering the credentials for the user testuser that is created by the deployment scripts, we get redirected to the AWS console for the AWS account to which Keycloak has been deployed. If we would have assigned multiple roles to the same Keycloak group (or multiple groups to testuser), a page like the one below would appear (which would look familiar to everyone who already used SAML federation with AWS). If you like to experiment and have deployed everything from the repo, you can go to the network tab of the development tools of the browser, find the saml document there and copy its contents.

and then place this into a .jar file as described in the documentation. It turned out that it does not work like that at all. Firstly, the custom scripts are disabled by default as I found out looking at the Keycloak logs. To fix this, one needs either to activate the preview functions or enable the scripts option alone as described here. Secondly, "JavaScript" turned out to be very Java-based and needs to call functions from the corresponding Java classes of Keycloak:

I am looking to only allow access to specific subnets/ and ip ranges to the admin console. I need to do it in keycloak itself and not via another pice of the infrastructure. I found the documentation here: https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/threat/admin.adoc

https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/identity-broker/first-login-flow.adoc Copy broker flow, put Automatically set user account under create user if unique as alternative and faisable handle existing account But check the potential security breach, anybody Can create account on github and link it to internal account depending on your configuration.

keycloak.js