Getting "Disabling Automatic User Creation" to work

Hello community,

i have a problem and hoping for a advice.

I have set up two Keycloak servers, KC1 and KC2. KC2 acts as Identity Provider for KC1. So users in KC2 database are able to login over the KC1 login page. This works great, no problem so far.

But KC1 imports all users from KC2 into his own database at login. I want to disable this behavior - no userdata from KC2 should be stored in KC1. The “Server Administration Guide” handels this topic under “Disabling Automatic User Creation”. But after making the changes in “Disabling Automatic User Creation” (setting two rows in First Broker Login flow to DISABLED), new users from KC2 are no longer able to login in at all. :-/
Error message on screen is “Wrong username or password.

Users from KC1 database (including already imported users from KC2) are still able to login, but no new users from KC2.

The logs from KC2 are clean. The KC1 logs says:
WARN [] (default task-172) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=demo, clientId=demo1, userId=null, ipAddress=xxxxxx, error=invalid_user_credentials, identity_provider=keycloak-oidc_2, auth_method=openid-connect, redirect_uri=https://xxxx/redirect_uri/, identity_provider_identity=xxxx, code_id=aa7314cd-0e8d-4eed-b62a-f3188bfa63a3, authSessionParentId=aa7312cd-0e9d-4eed-b62a-f2187bfa63a3, authSessionTabId=6eE76t9cmx4
WARN [] (default task-203) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly( …

If i undo the changes from “Disabling Automatic User Creation”, all works like a charme, but i get the KC2 users imported.

So what configuration do i miss? Any hints?
I am using Java 11.0.5. and Keycloak Version 9.0.0 for KC1 and Version 8.0.1 for KC2.

Thank you in advance for your time! :smiley:


Same issue here, do you found a solution ?


We have a similar requirement where we have user visit realm A and redirected to realm B for authentication, once the auth completes, the user is stored in realm A as well and eventually becomes stale because of which we need to not have Keycloak store the user in realm A.
We tried doing whatever is mentioned in the “Disabling Automatic User Creation” section of the docs but to no avail. I keep getting an error “Username or password invalid”.
Please let me know if you guys were able to solve this.


We are also looking into a flow where this is a requirement for us. Has anyone been able to get this working?

Thanks in advance