Hi, in my realm i use an external identity provider as main identity provider (dedicated flow that prevents login with local credentials).
in the course of a migration scenario, i’d like to create user-accounts via API.
- At the first login, i want the existing accounts to be linked automatically to the external IdP account without any manual step. The default “first broker login” flow would require existing users to have a password, which they should not have. I use EntraID and unfortunately cannot derive the subject id beforehand because they use some kind of hash, not the object id.
- for new users, i want accounts to be created automatically and linked to the external IdP account
i tried it with a custom “First login flow override” in the IdP that is basically:
- CaseA [Alternative]
- Step: Detect existing borker user [required]
- Step: Automatically set existing user [required]
- CaseB [Alternative]
- Step: Create User If Unique [required]
so in my scenario, CaseA would be the update scenario where i want to link the user to an existing account without requesting manual input. CaseB would be for completely new users.
While CaseA works, in caseB i get:
“User <…> authenticated with identity provider EntraID does not exist.”
in my understanding, since both outer subflows are [Alternative], just one of them must succeed; in the insert-case this would be “caseB” with CreateUserIfUnique.
am i missing something?
cheers!