SCIM and SSO Handling - Automatic Linking of User Created through SCIM and SSO


From OKTA(IDP), the users are pushed to Keycloak via SCIM. OKTA is also used for Single Sign On(SSO) and Keycloaks acts as a Identity Broker, between our application and OKTA which act as a Identity Provider(IDP). When users are logged in for the first time, they are re-directed to Review Profile page in Keycloak, upon filling that, keycloak detects that there is already an user account with the similar name and whether it needs to link it.

When the User clicks on Add to Existing Account, then it ask for Authentication. Since the User is authenticated via OKTA, we would not be able to authenticate the user in keycloak directly. Hence we are unable the link the user account.

The work around that we have now is as an Admin User, try to link the account by going Users->(select specific User)->Identity Provider Link and manually linking by giving the username created through SCIM and well as through OKTA as shown below

Any idea/Pointers on how to link the user accounts automatically at the time creation of users through SCIM.


I can link my existing Accounts by e-mail verification. You have to configure your SMTP server in the realm settings, but it works perfectly for me.
Your scim users in keycloak should also have an e-mail address configured. I think this can be done via scim

Got another solution and it worked for me without using the email