hello,
in our use-case we’ve a realm with local users and we would like to add an user-federation from active directory, but the local users and the users from active directory could have the same username and/or email.
When we add a user-federation from active directory to the same realm where keycloak local users are, we’ve the problem that local users have the same username and/or email as an active directory user on a sync, so keycloak don’t syncs these users to the local users because of duplicated username and/or email.
I searched for an option to overwrite these users with the one from active directory, but I can’t find any option to set this.
Since this is not possible we’ve the following solution:
- we’ve created a second realm for user-federated users
- we’ve created a sql-trigger on the keycloak user table to run a customized script which checks the newly imported users based on the username and/or email with the users from the other realm with the local users.
If the script finds a user which has the same username and/or email as the one from user-federation, it deletes the user in the realm with the local users over the admin-api.
As we coulnd’t find any other solution we’re not sure if this is a good or bad idea.
Maybe anyone of you could help us with an new idea or option to overwrite existing users with the one from user-federation if the username and/or email are already in use.