Skip to main content

Brokering

Brokering lets you accept logins from your existing external Identity Provider (IdP) (i.e. Google, Azure AD, Okta, etc.) so you can authenticate those users inside Pony ID and have them complete LittleHorse User Tasks as if they were local users.

How brokering works (high level)

At a high level, the flow looks like this:

  1. A user tries to access the Console or any app that uses the Pony ID Backend.
  2. The user is redirected to your external IdP to authenticate.
  3. After a successful login, the external IdP returns a token to Keycloak which acts as a middle man and brokers the identity.
  4. Pony ID consumes the resulting OIDC token and applies your configuration for user identity and permissions.

Key implications:

  • The user is created on their first successful login (no bulk import in brokering).
  • User profile attributes can be copied in during that first-login import (see Profile Mappers below).

Users and groups with brokering

  • User Id: Pony ID lets you choose which JWT claim to use as the user_id when assigning User Tasks. This is configured independently of profile mappers. Common options are sub (UUID), email, or preferred_username. See the configuration section referenced from Users & Groups.
  • Groups: Only users are brokered. Groups are not brokered via this flow. You must create groups in Pony ID and manually assign members to those groups. Assignments expect the group name.

Profile Mappers (in brokering)

Profile mappers are IdP-side configurations that map claims from a source IdP to target profile fields in your realm during brokering. For example, mapping Okta's fullName into Keycloak's firstName and lastName, or copying phone numbers and avatar URLs.