I have an issue where customers are using Microsoft Active Directory + Okta and receiving an invalid username/password error in Keycloak after providing the correct password.
Flow: User successfully logs into Microsoft and is redirected to Okta homepage → User clicks on app → Invalid username/password error comes from Keycloak.
Workaround: Manually unlink and re-link idp for user in Keycloak.
We’re seeing this occur when a customer has mixed casing in their email address (i.e. Testuser@Test.com). All affected users are using Microsoft Active Directory. The problem is I can’t reproduce it. See logs below, note the following:
- userId=null
- auth_method=openid-connect (the idp in keycloak is set to SAML)
- identity_provider_identity=<USER_EMAIL>
log:2024-01-03 05:52:28,312 WARN [org.keycloak.events] (executor-thread-12481) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=<REALM_ID>, clientId=<CLIENT_ID>, userId=null, ipAddress=<IP_ADDRESS>, error=invalid_user_credentials, identity_provider=<IDENTITY_PROVIDER>, auth_method=openid-connect, redirect_uri=<REDIRECT_URI>, identity_provider_identity=<USER_EMAIL>, code_id=<UUID>, authSessionParentId=<UUID>, authSessionTabId=<TAB_ID> time:Jan 3, 2024 @ 00:52:28.312 stream:stdout logtag:F kubernetes.labels.app.kubernetes.io/name:sso
Has anyone been able to solve this? I’ve found similar posts online but haven’t found a working solution.