User sync between multiple IDP

Hi all, I have an environment where keycloak is asking two IDP’s for authentication. at this moment if a user authenticates on the IDP1 this is created internally to keycloak. If the same user subsequently authenticates on IDP2, and the username is the same, keycloak realizes that it is the same user and asks me to re-authenticate the user from IDP1 to connect the two identities on the internal db. I wish I could not ask the user to re-authenticate on IDP1 after authenticating on IDP2, I would like the user to be logged in automatically if they come from certain IDPs. in short, I would like to give priority to some IDPs and trust their authentication to connect users. is it possible to do this?

Maybe a first broker login flow with auto-linking will help:

https://www.keycloak.org/docs/latest/server_admin/index.html#automatically-link-existing-first-login-flow

1 Like

thanks! I will try this solution. in case i would like to use auto linking only with a specific IDP I imagine that I’ve to modify the flow write some custom code. correct?

In case you want this only with a specific IdP you can add the auto linking flow only to that IdP. This is done in the IdP settings, not in the flow itself.

1 Like