<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I don't see anything in code. Broker first time login creates
the user and sets enabled to true.<br>
</p>
<p>#1 Turn on debugging</p>
<p>#2 Upgrade to 1.9.8. Our product is based on 1.9.8 and A LOT of
work went into stabilizing the codebase between 1.9.2 and 1.9.8.<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/11/16 8:20 AM, Kamal Jagadevan
wrote:<br>
</div>
<blockquote
cite="mid:866458232.12507273.1470918029020.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:13px">
<div id="yui_3_16_0_ym19_1_1470916157931_2870">Hello,</div>
<div id="yui_3_16_0_ym19_1_1470916157931_2879"> We are using
Keycloak 1.9.2 for our Authentication flow and SAML
interactions (not using SAML adapters) and they are working
well in DEV/QA instances.</div>
<div id="yui_3_16_0_ym19_1_1470916157931_2927">But in
Integration environment we are seeing a strange issue of ONLY
FIRST TIME login works fine. Further login fails with the
following error even though user is enabled.<br>
</div>
<div id="yui_3_16_0_ym19_1_1470916157931_3090"><br>
</div>
<div id="yui_3_16_0_ym19_1_1470916157931_3648">"Account is
disabled, contact admin." Is there anything obvious that we
have missed please advise. Enabling debug log didnt reveal
anything other than fetching entities from db.</div>
<div id="yui_3_16_0_ym19_1_1470916157931_4070">Any inputs to
debug further is also welcome.<br>
</div>
<div id="yui_3_16_0_ym19_1_1470916157931_3676"><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1470916157931_3747">Setting
in Federated Identity - First login flow is set to First
Broker Login flow<br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1470916157931_3668">Settings
in First login flow - Disabled Review profile page, rest of
the properties was set to default values altering rest of the
fields didnt change the behavior.<br>
</div>
<div id="yui_3_16_0_ym19_1_1470916157931_3932" dir="ltr"><br>
</div>
<div id="yui_3_16_0_ym19_1_1470916157931_3933" dir="ltr"><br>
</div>
<div id="yui_3_16_0_ym19_1_1470916157931_3319">Following are the
sequence of steps <br>
</div>
<ol dir="ltr" id="yui_3_16_0_ym19_1_1470916157931_3318">
<li id="yui_3_16_0_ym19_1_1470916157931_3317">With the help of
static login URL to Keycloak with suffixed by the
KC_IDP_HINT, Keycloak redirects to External IDP</li>
<li id="yui_3_16_0_ym19_1_1470916157931_3317">Verified for the
SAML request being sent using SAML Tracer.<br>
</li>
<li id="yui_3_16_0_ym19_1_1470916157931_3317">External IDP
login prompts for username and password.</li>
<li id="yui_3_16_0_ym19_1_1470916157931_3317">After entering
credentials, redirected back to Keycloak for getting token
but THROWS error "Account is disabled, contact admin"<br>
</li>
<li id="yui_3_16_0_ym19_1_1470916157931_3317">Verified the
SAML response with Assertion status as success using SAML
tracer.</li>
<li id="yui_3_16_0_ym19_1_1470916157931_3317">Verified the
user is enabled from the Admin console.</li>
<li id="yui_3_16_0_ym19_1_1470916157931_3317">Verified the
user_entity table for the status. <br>
</li>
</ol>
<div id="yui_3_16_0_ym19_1_1470916157931_4062"><br>
</div>
<div id="yui_3_16_0_ym19_1_1470916157931_4071">Best</div>
<div>Kamal<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>