Dealing with login loop
29 views
Skip to first unread message
Francis Augusto Medeiros-Logeay
Oct 6, 2025, 9:05:58 AM (10 days ago) Oct 6
to 'Francis Augusto Medeiros-Logeay' via Keycloak User
Hi,
This is probably a very atypical problem, but I wonder if someone has a way to deal with it.
Our organization’s keycloak has both username/password login as well as it offers an IDP login.
This IDP we’ve configured has a lot of other similar organizations, including ourselves.
We changed recently our tenant on that IdP, so that it redirects to our keycloak instance.
So, when our user, instead of typing their username/password, they got sent to our own keycloak. After the user realized he went to a loop, he types his username and password. After authentication, keycloak throws an error saying that the user is already authenticated.
Is there a way to deal cleanly with this?
Now, a few details:
- Why do users would use that IdP? Because of SSO. Users can authenticate there via Entra ID, and clicking on the IdP does SSO.
- We ended up removing our institution from that IdP, which means that only external users can use it. But it would be nice to have it because of SSO.
The flow is like this:
- Keycloak: user can authenticate using IdP or username/password
- IdP: it actually redirects to Entra ID. If the user already is authenticated on Entra, he is authenticated on the IdP. If not, Entra will send the user to our Keycloak.
Probably too confusing, but if you got it, let me know if there is a better way to deal with this.
Best,
Francis
This is probably a very atypical problem, but I wonder if someone has a way to deal with it.
Our organization’s keycloak has both username/password login as well as it offers an IDP login.
This IDP we’ve configured has a lot of other similar organizations, including ourselves.
We changed recently our tenant on that IdP, so that it redirects to our keycloak instance.
So, when our user, instead of typing their username/password, they got sent to our own keycloak. After the user realized he went to a loop, he types his username and password. After authentication, keycloak throws an error saying that the user is already authenticated.
Is there a way to deal cleanly with this?
Now, a few details:
- Why do users would use that IdP? Because of SSO. Users can authenticate there via Entra ID, and clicking on the IdP does SSO.
- We ended up removing our institution from that IdP, which means that only external users can use it. But it would be nice to have it because of SSO.
The flow is like this:
- Keycloak: user can authenticate using IdP or username/password
- IdP: it actually redirects to Entra ID. If the user already is authenticated on Entra, he is authenticated on the IdP. If not, Entra will send the user to our Keycloak.
Probably too confusing, but if you got it, let me know if there is a better way to deal with this.
Best,
Francis
Reply all
Reply to author
Forward
0 new messages