SAML and FIDO2

57 views
Skip to first unread message

James Conners

unread,
Aug 6, 2025, 10:05:43 AMAug 6
to Keycloak User

Good morning all,

 

I'm trying to add Webauthn passwordless authentication to my KC server, but am having issues with clients that currently support SAML.

 

My OIDC clients work just fine, but the SAML clients generate an error. KC shows both the error and that authentication is successful.

 

When the user authenticates with their passkey, KC gets the credentialPublicKey and the credentialID from the passkey. But if it's a SAML client, when KC tries to link the credentialID instead of the username. This causes KC to generate a "Failed to process response" error, because the username is Null. However, since KC processed a valid authentication request, when I resubmit the original link, the user is authenticated.

 

However, I stumbled upon a "fix". If I set user accounts 'Required user actions' to 'Linking Identity Provider', then KC internally tries to link the Passkey to the user's linked IDP profiles, internally creating "FEDERATED_IDENTITY_LINK_ERROR", which is expected, but this process causes the authentication flow to normally function, from the user's perspective.

 

Since a passkey is a credential, there does not seem to be a way to create a mapping.

 

I'm not sure if this flow is intended, or a bug, or if I am missing some other process entirely.

 

Is there a different solution for this, or any ideas on how a mapping from the credentialID to the username can be created?

 

Thanks in advance.

Reply all
Reply to author
Forward
0 new messages