- Configure a browser flow if you use local or LDAP/AD authentication.
- Configure a post-sign in client flow if you use SSO.
The browser flow is internal to Keycloak and can’t be modified, so you must make a copy of it first.
Use Keycloak’s user management
Concurrent user session limits must be applied individually to each flow. If you have multiple clients or flows, you must add a concurrent user session limit for each one.Browser flow for Local and LDAP/AD authentication
- Copy the default browser flow (this default flow can’t be customized directly).
- Click the copy of the default flow.
- Click the Flow Name > Forms row from XYZ.
- From Actions, click Add Execution.
- Click User Session Count Limiter if the limit should be applied to a single user. Click Realm Session Count Limiter if the limit should be applied to all the users in a realm. A realm is the Keycloak version of a tenant.
- Return to the flow page.
- Set the execution you created to Required.
- From the Actions menu, click Config.
- Create a name for the execution and configure the authenticator. For User Session Count Limiter, you can select Deny new session or Terminate oldest session as the desired behavior.
- Click Clients > domino-play.
- In Authentication Flow Overrides, from Browser Flow, click your copied browser flow, and click Save.
First broker flow for API access
- Copy the direct grant flow (this default flow can’t be customized directly).
- Click the copy of the default flow.
- Click Add Execution on the Actions menu.
- Click User Session Count Limiter if the limit should be applied to a single user. Click Realm Session Count Limiter, if the limit should be applied to a group of users.
- Return to the flow page.
- Set the execution you just created to Required and click Config from the Actions menu in the same line.
- Create a name for the execution and configure the authenticator. For User Session Count Limiter, you can select Deny new session or Terminate oldest session as the desired behavior.
- Click Clients > domino-play.
- In Authentication Flow Overrides, from Direct Grant Flow, click your copied direct grant flow, and click Save.
SSO version
Unlike other kinds of flows, you can’t directly add a user session limit to a client authentication flow. However, you can still limit the number of user sessions if you add a flow that executes after the user signs in:- From the Keycloak sidebar, click Authentication.
- Click New on the Flow Definition page.
- Name the new flow, set the flow type to generic and click Save.
- Click Add Execution on the Actions menu.
- Click User Session Count Limiter if the limit should be applied to a single user. Click Realm Session Count Limiter if the limit should be applied to a group of users.
- Return to the flow page.
- Set the execution you just created to Required and click Config from the Actions menu in the same line.
- Create a name for the execution and configure the authenticator. For User Session Count Limiter, you can select Deny new session or Terminate oldest session as the desired behavior.
- From the sidebar, click Identity Providers and click your SSO provider.
- Open the Post Login Flow menu and click the flow you just created.
- Click Save.