From OKTA(IDP), the users are pushed to Keycloak via SCIM. OKTA is also used for Single Sign On(SSO) and Keycloaks acts as a Identity Broker, between our application and OKTA which act as a Identity Provider(IDP). When users are logged in for the first time, they are re-directed to Review Profile page in Keycloak, upon filling that, keycloak detects that there is already an user account with the similar name and whether it needs to link it.
When the User clicks on Add to Existing Account, then it ask for Authentication. Since the User is authenticated via OKTA, we would not be able to authenticate the user in keycloak directly. Hence we are unable the link the user account.
The work around that we have now is as an Admin User, try to link the account by going Users->(select specific User)->Identity Provider Link and manually linking by giving the username created through SCIM and well as through OKTA as shown below
I can link my existing Accounts by e-mail verification. You have to configure your SMTP server in the realm settings, but it works perfectly for me.
Your scim users in keycloak should also have an e-mail address configured. I think this can be done via scim
