Federated identity not deleted in non-import strategy when changed

20 views

Skip to first unread message

TAD

unread,

Oct 9, 2025, 10:15:54 AM (9 days ago) Oct 9

to Keycloak Dev

We developed our own user federation provider to pull users from a legacy application. It works fine : users and their attributes are retrieved.
We do not import user in the keycloak database.

We are also relying on an external identity provider (OIDC-compatible).

Login workflow is configured so that a user authenticating through the external identity provider is matched with an existing federated user if any is found in keycloak or if not, the user is required to login with username/password against the federation provider to make the association.

Everything works fine until a user is deleted and recreated in the user federation provider.

When the user logs in, the external identity provider authenticates the user, keycloak asks the federation provider about the previously known ID which respond null.

User is then required to login with username/password as if he was unknown and keycloak saves the user a usual and user is logged in.

But then when the user later logs in again using the external identity provider, keycloak complains about a duplicate entry and denies login.

In the database there are two entries for the same external identity ID with linked to the old and the new federation provider user ID : the former link between externalID and federationID has not been deleted when our federation provider responded null because the federationID was unknown.

We tried to call new UserManager(session).removeUser(realm, user, UserStoragePrivateUtil.userLocalStorage(session)); in getUserById() if the id is not found by our federation provider but it seems to do nothing.

Are we missing something ? Is importing and syncing users mandatory in this scenario ?