Reputation: 51
Auto merge authenticated user from IDP with the existing user in the keycloak
I am working on a authentication/authorization flow with keycloak. I have manually registered some users inside keycloak.
Now, I am using Azure AD as an IDP. When I am trying to login with Azure AD for some email address(email already exists in the keycloak), then I am getting error "User with email <EMAIL> already exists. How do you want to continue?"
My Requirement is to automatically merge my idp authenticated user with the existing keycloack user (same email) by skipping the above screen.
Is there a way to achieve this?
I don't want redundant users in the keycloak for the same email address.
Upvotes: 3
Views: 2030
Answers (1)
Reputation: 370
The best solution I found is to create a new authentication flow that solves this "dilemma" automatically and assigning it as the first login flow for this identity provider.
Currently when you reach this page you are actually reaching the "first broker login" flow.
You should create a new flow (go to "Authentication" and create a flow.
Name your flow (I named it "Link Azure account with existing account") and add two steps to the new flow -
First is "Create user if unique", pretty self explanatory. Second step is "Automatically set existing user", basically the equivalent of clicking the "add to existing account" button in your error screen. The requirements for these steps are "alternative" because they both aren't fully mandatory.
It should look like this -
Now go to your azure identity provider and in the "First login flow" choose the new authentication flow you have created and that's it!
Bonus tip - Want to get rid of the login form where your users need to click "login with AzureAD"? Go to the browser authentication (or whatever authentication flow you are using for this scenario) and in the "Identity Provider Redirect" step click the little gear icon and setup your azure identity provider as the default identity provider. Now when a user clicks the login button he automatically goes through the entire login flow without any extra forms or dilemmas.
Upvotes: 5
Related Questions
- specify user id when creating user in keycloak
- How to bypass Keycloak login form and jump directly to the IDP login?
- How can I set Keycloak user id as static?
- SSO Between Keycloak IDP and another IDP
- Keycloak bulk user import
- Keycloak integration with an IDP and SSO
- Update Keycloak user data based on data present in Identity Provider token
- Keycloak flow to allow only authorized IDP accounts
- Keycloak, PKCE and external IDP
- Keycloak user management