Hi to all, I’ve this scenario, is all out of the box, no customization.
I’ve two keycloak, one act like service provider and the other like identity provider using SAML protocol.
In the Identity provider I’ve configured an ldap like a user storage provider.
I enter in an application on the service provider and I can correctly authenticate using the identity provider (and the ldap configured in the identity provider).So the user used from the service provider is at the end an ldap user.
it works fine until for some reason I’ve to delete the user federation in the identity provider.
deleting the ldap user federation all the user in identiy provider related to ldap are automatically deleted. in the service provider I still have all user automaticaly created during login process and related to identity-provider–>ldap.
At this point I re-create the ldap in the identity provider and I try to authenticate in service provider using a user already present in service provider (provisioned by the previous federated process). using the same username keycloak understand that there is already a user with the same uid and ask me to authenticate to merge the two user. at this point I’m redirect the service provider login page to authenticate but I’ve an authentication error.
looking to keycloak log I’ve thie entry:
14:53:11,607 WARN [org.keycloak.events] (default task-48) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=ServiceProvider, clientId=test-oidc, userId=613ffbe0-5b8e-410c-ab97-8d41c5ddf584, ipAddress=127.0.0.1, error=invalid_user_credentials, identity_provider=saml, auth_method=openid-connect, redirect_uri=https://oidcdebugger.com/debug, identity_provider_identity=G-ef8b2a07-159d-484e-9c76-bcc1bda21c51, code_id=t2EAnAnMD-jAjf7YUGZdDA6sbJMP1_rkBiYMULabLhY, username=utente1, authSessionParentId=46ca99a1-22a3-4f92-89a8-10072f89f882, authSessionTabId=_1W3amcs_wg
for what I can understand it is trying to use the Identity_provider_identity=G-ef8… that is related to the new ldap user storage provider since in the user already present on service provider in “identity Provider Links” i’ve another provider user id, the one related to the previous ldap user federation.
In this way I can’t autenticate and the only way to solve is to delete the user already present in service provider (and created during provisioning of the first federation–>ldap) and authenticate again. in this way a new user is provisioned on service provider with the new Provider user ID in Identity Provider Links.
I know that is a little complicate scenario, but it seems a keycloak bug.
any one has some idea?