Migrating Users between Identity Providers?

[Mark Watson]

Hi Keycloak Users,

Have any of you worked with use cases where you've had to migrate users between identity providers or Active Directory systems? Are there any best practices for performing this kind of user migration?

e.g.:

I have users that are currently authenticating with Okta but will now be using Azure AD.

or I have locally managed users in Keycloak but want to move user identities to an external SAML2/OAuth2 provider.

Would the process be any different if I were to be migrating from a user pool in LDAP to an external provider?

Thanks in advance,

-Mark

[Björn Eickvonder]

Assuming user name stays the same, user can just link their accounts to the new IDP which means they have to either type in their password or they get an email where they have to click once.

If you want to avoid that you need a custom authentication flow using the idp-auto-link authenticator.