[keycloak-user] SAML Subsequent login fails with Account disabled error

[Kamal Jagadevan]

Hello,  We are using Keycloak 1.9.2 for our Authentication flow and SAML interactions (not using SAML adapters) and they are working well in DEV/QA instances.But in Integration environment we are seeing a strange issue of ONLY FIRST TIME login works fine. Further login fails with the following error even though user is enabled.

"Account is disabled, contact admin."  Is there anything obvious that we have missed please advise. Enabling debug log didnt reveal anything other than fetching entities from db.Any inputs to debug further is also welcome.

Setting in Federated Identity -  First login flow is set to First Broker Login flow
Settings in First login flow - Disabled Review profile page, rest of the properties was set to default values altering rest of the fields didnt change the behavior.


Following are the sequence of steps 
   
   - With the help of static login URL to Keycloak with suffixed by the KC_IDP_HINT, Keycloak redirects to External IDP
   - Verified for the SAML request being sent using SAML Tracer.   

   - External IDP login prompts for username and password.
   - After entering credentials, redirected back to Keycloak for getting token but THROWS error "Account is disabled, contact admin"   

   - Verified the SAML response with Assertion status as success using SAML tracer.
   - Verified the user is enabled from the Admin console.
   - Verified the user_entity table for the status.    


BestKamal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/11c1920a/attachment.html