Link IdP to existing user

[Jan Smets]

Hi

I’m trying to get a First Login flow working whereby only pre-created users are allowed to log in. 

MS Azure AD is used as trusted IdP. The users are created in Keycloak with username+email and without any IdP Links.

My IdP uses SAML2.0 and has mappers configured for username and email. Username is a Attribute Importer and username uses the Username Template Importer with template  ${ATTRIBUTE.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/onpremisessamaccountname}.  I verified that both these are mapped correctly (ie, with the default First Broker 

Login flow the account is created with the expected parameters).

The only way I can get existing users to link to the IdP is using “Create User If Unique” in the First Login flow, as described in the “Automatically Link Existing First Login Flow” documentation item, but that would also create user accounts for about anyone, which is not what I want. 

I’ve tried to use “Automatically Set Existing User” (to set the existing user to the auth context) and then “Confirm Link Existing Account”. But here the login page returns “Invalid username or password” and the server logs contain:

Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Unexpected state. There is no existing duplicated user identified in ClientSession

It seems that authSession.getAuthNote(EXISTING_USER_INFO); fails to look up the existing user, which seems to be (only?) set by IdpCreateUserIfUniqueAuthenticator.

Is this a supported flow ? 

I’m using Keycloak 8.0.1, the client uses OIDC.

Thank you in advance for your help.

 - Jan

[Naresh Reddy]

Even I've similar kind of requirement. Is it supported??

[Fabio Grasso]

THello there,

I'm facing the same issue: I've configured Okta as IdP (I'm using SAML, but it seems that the error is not related to SAML or OpenID, nor to the type of IdP used) and then configured an Authentication flow with  "Automatically Set Existing User".

When I try to login using my IdP I receive an "Invalid username or password" error and in Keycloak log I see this exception:

[org.keycloak.services] (default task-227) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Unexpected state. There is no existing duplicated user identified in ClientSession
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.getExistingUser(AbstractIdpAuthenticator.java:120)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.authentication.authenticators.broker.IdpEmailVerificationAuthenticator.authenticateImpl(IdpEmailVerificationAuthenticator.java:83)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:76)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:438)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:247)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:976)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.services.resources.LoginActionsService$1.authenticateOnly(LoginActionsService.java:792)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:838)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:313)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:822)
        at org.keycloak.keycloak-services@10.0.1//org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:716)
        at jdk.internal.reflect.GeneratedMethodAccessor1103.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
[...]

The same if I use "Confirm Link Existing Account" and "Verify Existing Account By Email". The only way for login is to manual link the Keycloak user with my IdP (by create an Identity Provider Links in user settings).

It seems that there is something wrong during the lookup of the existing user.

In SAML assertion I'm sending the email address as NameID, and I'm sending also firstName, lastName and email as additional attribute.

Do you have any suggestion on how to solve?

Thanks in advance for your help,

Fabio

[Juan Blanco]

Hi Fabio, 

Were you able to find a solution for this? I have the same issue.

Best Regards. 

[Konrad Najder]

This configuration is supported in keycloak, but only from version 13.0.0 onwards, and requires the Detect existing broker user authenticator, to set the IdP user in the EXISTING_USER_INFO auth note.
It can be backported to earlier versions, either through a script authenticator or a regular extension, though of course an upgrade would be preferable. 

The flow itself is described in Server Administration docs.

[Juan Blanco]

Hi Konrad  I am using version 14.0.0 and I am still not able to link existing user. I have created another post here if you would like to see what is my error:  https://groups.google.com/g/keycloak-user/c/1Ib0951DOhU 

But basically the same thing not able to link IDP user  to existing account in ADLDS.

I appreciate any help. 

Best Regards.