Upsert External IdP Account

Hi, in my realm i use an external identity provider as main identity provider (dedicated flow that prevents login with local credentials).
in the course of a migration scenario, i’d like to create user-accounts via API.

  • At the first login, i want the existing accounts to be linked automatically to the external IdP account without any manual step. The default “first broker login” flow would require existing users to have a password, which they should not have. I use EntraID and unfortunately cannot derive the subject id beforehand because they use some kind of hash, not the object id.
  • for new users, i want accounts to be created automatically and linked to the external IdP account

i tried it with a custom “First login flow override” in the IdP that is basically:

  • CaseA [Alternative]
    • Step: Detect existing borker user [required]
    • Step: Automatically set existing user [required]
  • CaseB [Alternative]
    • Step: Create User If Unique [required]

so in my scenario, CaseA would be the update scenario where i want to link the user to an existing account without requesting manual input. CaseB would be for completely new users.

While CaseA works, in caseB i get:
“User <…> authenticated with identity provider EntraID does not exist.”

in my understanding, since both outer subflows are [Alternative], just one of them must succeed; in the insert-case this would be “caseB” with CreateUserIfUnique.

am i missing something?

cheers!

What about only having two alternatives!?

  • create user if unique
  • automatically set existing user

If the first alternative doesn‘t work (b/c the user exists), it will be set/linked in the second step.

1 Like

thanks! that solved it!

1 Like