i have a problem and hoping for a advice.
I have set up two Keycloak servers, KC1 and KC2. KC2 acts as Identity Provider for KC1. So users in KC2 database are able to login over the KC1 login page. This works great, no problem so far.
But KC1 imports all users from KC2 into his own database at login. I want to disable this behavior - no userdata from KC2 should be stored in KC1. The “Server Administration Guide” handels this topic under “Disabling Automatic User Creation”. But after making the changes in “Disabling Automatic User Creation” (setting two rows in First Broker Login flow to DISABLED), new users from KC2 are no longer able to login in at all. :-/
Error message on screen is “Wrong username or password.”
Users from KC1 database (including already imported users from KC2) are still able to login, but no new users from KC2.
The logs from KC2 are clean. The KC1 logs says:
WARN [org.keycloak.events] (default task-172) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=demo, clientId=demo1, userId=null, ipAddress=xxxxxx, error=invalid_user_credentials, identity_provider=keycloak-oidc_2, auth_method=openid-connect, redirect_uri=https://xxxx/redirect_uri/, identity_provider_identity=xxxx, code_id=aa7314cd-0e8d-4eed-b62a-f3188bfa63a3, authSessionParentId=aa7312cd-0e9d-4eed-b62a-f2187bfa63a3, authSessionTabId=6eE76t9cmx4
WARN [org.keycloak.services] (default task-203) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
at firstname.lastname@example.org//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1001) …
If i undo the changes from “Disabling Automatic User Creation”, all works like a charme, but i get the KC2 users imported.
So what configuration do i miss? Any hints?
I am using Java 11.0.5. and Keycloak Version 9.0.0 for KC1 and Version 8.0.1 for KC2.
Thank you in advance for your time!