User Problem sincronization with federation and user storage provider

Hi to all, I’ve this scenario, is all out of the box, no customization.
I’ve two keycloak, one act like service provider and the other like identity provider using SAML protocol.
In the Identity provider I’ve configured an ldap like a user storage provider.

I enter in an application on the service provider and I can correctly authenticate using the identity provider (and the ldap configured in the identity provider).So the user used from the service provider is at the end an ldap user.
it works fine until for some reason I’ve to delete the user federation in the identity provider.

deleting the ldap user federation all the user in identiy provider related to ldap are automatically deleted. in the service provider I still have all user automaticaly created during login process and related to identity-provider–>ldap.

At this point I re-create the ldap in the identity provider and I try to authenticate in service provider using a user already present in service provider (provisioned by the previous federated process). using the same username keycloak understand that there is already a user with the same uid and ask me to authenticate to merge the two user. at this point I’m redirect the service provider login page to authenticate but I’ve an authentication error.
looking to keycloak log I’ve thie entry:

14:53:11,607 WARN [] (default task-48) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=ServiceProvider, clientId=test-oidc, userId=613ffbe0-5b8e-410c-ab97-8d41c5ddf584, ipAddress=, error=invalid_user_credentials, identity_provider=saml, auth_method=openid-connect, redirect_uri=, identity_provider_identity=G-ef8b2a07-159d-484e-9c76-bcc1bda21c51, code_id=t2EAnAnMD-jAjf7YUGZdDA6sbJMP1_rkBiYMULabLhY, username=utente1, authSessionParentId=46ca99a1-22a3-4f92-89a8-10072f89f882, authSessionTabId=_1W3amcs_wg

for what I can understand it is trying to use the Identity_provider_identity=G-ef8… that is related to the new ldap user storage provider since in the user already present on service provider in “identity Provider Links” i’ve another provider user id, the one related to the previous ldap user federation.

In this way I can’t autenticate and the only way to solve is to delete the user already present in service provider (and created during provisioning of the first federation–>ldap) and authenticate again. in this way a new user is provisioned on service provider with the new Provider user ID in Identity Provider Links.

I know that is a little complicate scenario, but it seems a keycloak bug.

any one has some idea?


I’m continuing to make test about this issue, I’ve found that after recreating the new ldap user storage the authentication of the old users present in the service provider db (the orphan users) is possible if I delete the Identity provider links inside user properties and I manually recreate them using the value found in the log (that is the new Provider User ID).
So the problem is that erasing a user storage, that is used in a federated environment (in the IDP), the related users in the idp are deleted, the user created during federation process in the service provider instead are still present but with old Provider User ID in identity provider links. at this point is not possible to use again these users since the authentication process validate the Provider User ID and its related to old LDAP integration and not the new one.
deletin user in service provider or changing the Provider User ID solve the problem but I believe that this is an issue.

Any idea?