How to separate SSO users from different sites?

Alvaro Gonzalez

I maintain a set of web applications that use a centralised SSO server (Red Hat SSO / Keycloak for what it's worth). Each application has its own subdomain:

• https://admin.example.com/
• https://client1.example.com/
• https://client2.example.com/

But login form is displayed in a different subdomain that's common to all apps, and you can only tell them apart from a URL parameter:

• https://auth.example.net:8080/auth/realms/ADMIN/protocol/openid-connect/auth?client_id=admin
• https://auth.example.net:8080/auth/realms/CLIENTS/protocol/openid-connect/auth?client_id=client1
• https://auth.example.net:8080/auth/realms/CLIENTS/protocol/openid-connect/auth?client_id=client2

As a result, I have to pick credentials from a huge list that includes every site users, which often share the same username (my email). This is further aggravated by the fact that user and password are typed in different pages.

Setting the full login form URL in vault item does not work (I guess only domain portion is considered).

I also went to "Account Settings/ URL Rules" to add some items, but neither "Host: auth.example.net:8080" nor "Host: auth.example.net" seem to make any difference, nor does leaving "Path" empty or setting it to "/auth/realms/ADMIN/protocol/openid-connect/auth?client_id=admin", etc.

Is there an arrangement I can do so LastPass only shows matches for the app I'm signing in, or it's an unsupported scenario?

Alvaro Gonzalez

Please add support for this. Single sign-on is becoming increasingly popular. As it's now, there're tons of usability issues:

• You're offered irrelevant users to pick from.
• You cannot type to filter because it types in the password field.
• You cannot use the search feature because it searches in your entire vault.
• After logging in, you're always asked to update the password of a random user in a dialog you need to dismiss manually