SAML and FIDO2

18 views
Skip to first unread message

James Conners

unread,
Aug 12, 2025, 1:25:58 AMAug 12
to Keycloak Dev

Hello all,

 

I'm adding Webauthn passwordless authentication to my KC server, but am having issues with clients that currently support SAML.

 

My OIDC clients work just fine, but the SAML clients generate an error. KC shows both the error and that authentication is successful.

 

When the user authenticates with their passkey, KC gets the credentialPublicKey and the credentialID from the passkey. But if it's a SAML client, when KC tries to link the credentialID instead of the username. This causes KC to generate a "Failed to process response" error, because the username is Null. However, since KC processed a valid authentication request, when I resubmit the original link, the user is authenticated.

 

However, I stumbled upon a "fix". If I set user accounts 'Required user actions' to 'Linking Identity Provider', then KC internally tries to link the Passkey to the user's linked IDP profiles, internally creating "FEDERATED_IDENTITY_LINK_ERROR", which is expected, but this process causes the authentication flow to normally function, from the user's perspective.

 

Since a passkey is a credential, there does not seem to be a way to create a mapping.

 

I'm not sure if this flow is intended, or a bug, or if I am missing some other process entirely.

 

Is there a different solution for this, or any ideas on how a mapping from the credentialID to the username can be created?

 

Thanks in advance.

Alexander Schwartz

unread,
Aug 12, 2025, 1:49:08 AMAug 12
to James Conners, Keycloak Dev
Hi James,

this sounds like it would be best treated as a bug. 

Please open a bug in our GitHub issue tracker: https://github.com/keycloak/keycloak

It will also ask for additional details like the Keycloak version you are using. Please verify that the problem exists with the latest released version of Keycloak.

Best,
Alexander


--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-dev/de4e6d3f-45ce-4f76-bd0d-5852a2866266n%40googlegroups.com.


--

Alexander Schwartz, RHCE

He/Him

Principal Software Engineer, Keycloak Maintainer

alexander...@ibm.com


IBM Data Privacy Statement 


IBM Deutschland Research & Development GmbH

Vorsitzender des Aufsichtsrats: Wolfgang Wendt

Geschäftsführung: David Faller

Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294

Reply all
Reply to author
Forward
0 new messages