3:51 a.m.
Scenario:
We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP is
provided by an external SAML IdP.
We want Keycloak to provide SSO between all applications (clients) using the Keycloak
server (3.4.1).
Problem:
When the first application “A” uses Keycloak to authenticate the user everything is OK.
When application “B” (using the same browser) uses Keycloak to authenticate the user an
error occurs. “We're sorry ...You are already authenticated as different user ‘xx'
in this session. Please logout first.” (DIFFERENT_USER_AUTHENTICATED)
The current configuration uses the IdP “Subject.NameID” as username
(preferred_username).
--
Marco
4:14 a.m.
Hi,
could you try to upgrade to latest version 3.4.3 and see if the issue is
still here for your scenario?
Marek
On 09/03/18 10:51, Marco de Luca wrote:
Scenario:
We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP is
provided by an external SAML IdP.
We want Keycloak to provide SSO between all applications (clients) using the Keycloak
server (3.4.1).
Problem:
When the first application “A” uses Keycloak to authenticate the user everything is OK.
When application “B” (using the same browser) uses Keycloak to authenticate the user an
error occurs. “We're sorry ...You are already authenticated as different user ‘xx'
in this session. Please logout first.” (DIFFERENT_USER_AUTHENTICATED)
The current configuration uses the IdP “Subject.NameID” as username
(preferred_username).
5:38 a.m.
Hello,
Sorry, my bad. We ar currently running Keycloak 3.4.3.Final.
--
Marco
On 9 Mar 2018, at 11:14, Marek Posolda <mposolda(a)redhat.com>
wrote:
Hi,
could you try to upgrade to latest version 3.4.3 and see if the issue is still here for
your scenario?
Marek
On 09/03/18 10:51, Marco de Luca wrote:
> Scenario:
>
> We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP is
provided by an external SAML IdP.
>
> We want Keycloak to provide SSO between all applications (clients) using the Keycloak
server (3.4.1).
>
>
> Problem:
>
> When the first application “A” uses Keycloak to authenticate the user everything is
OK. When application “B” (using the same browser) uses Keycloak to authenticate the user
an error occurs. “We're sorry ...You are already authenticated as different user
‘xx' in this session. Please logout first.” (DIFFERENT_USER_AUTHENTICATED)
>
> The current configuration uses the IdP “Subject.NameID” as username
(preferred_username).
>
8:12 a.m.
Hello,
The error registers as follow in the Keycloak log. Any suggestions?
Event type: REGISTER_ERROR
Error: different_user_authenticated
13:07:05,127 WARN [org.keycloak.events] (default task-50) type=REGISTER_ERROR,
realmId=1177, clientId=demo-app, userId=a0994120-e9cd-4ae5-b6b9-e92dc3bf8206,
ipAddress=172.30.181.189, error=different_user_authenticated,
identity_provider=idp_acctest, register_method=broker, consent=no_consent_required,
previous_user=d0cae6fa-caa8-4d51-b4df-0711179ff360,
identity_provider_identity=7fecc1f8-87d3-420b-a2b0-df239c5cee78,
code_id=e14dbf6d-7a69-4842-a54f-cd02552aab47,
username=7fecc1f8-87d3-420b-a2b0-df239c5cee78
Kind regards
--
Marco
On 9 Mar 2018, at 11:14, Marek Posolda <mposolda(a)redhat.com>
wrote:
Hi,
could you try to upgrade to latest version 3.4.3 and see if the issue is still here for
your scenario?
Marek
On 09/03/18 10:51, Marco de Luca wrote:
> Scenario:
>
> We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP is
provided by an external SAML IdP.
>
> We want Keycloak to provide SSO between all applications (clients) using the Keycloak
server (3.4.1).
>
>
> Problem:
>
> When the first application “A” uses Keycloak to authenticate the user everything is
OK. When application “B” (using the same browser) uses Keycloak to authenticate the user
an error occurs. “We're sorry ...You are already authenticated as different user
‘xx' in this session. Please logout first.” (DIFFERENT_USER_AUTHENTICATED)
>
> The current configuration uses the IdP “Subject.NameID” as username
(preferred_username).
>
5:06 a.m.
RESOLVED:
In our scenario keycloak was using the SAML response NameID as username. The SAML IdP
creates a new NameID for each authentication.
Therefor keycloak received a different username (NameID) pointing to the same keycloak ID
(during SSO session).
We are now using the “Username Template Importer” and trying automatic account linking
instead.
--
Marco
On 12 Mar 2018, at 14:12, Marco de Luca
<marco.deluca(a)carity.se> wrote:
Hello,
The error registers as follow in the Keycloak log. Any suggestions?
Event type: REGISTER_ERROR
Error: different_user_authenticated
13:07:05,127 WARN [org.keycloak.events] (default task-50) type=REGISTER_ERROR,
realmId=1177, clientId=demo-app, userId=a0994120-e9cd-4ae5-b6b9-e92dc3bf8206,
ipAddress=172.30.181.189, error=different_user_authenticated,
identity_provider=idp_acctest, register_method=broker, consent=no_consent_required,
previous_user=d0cae6fa-caa8-4d51-b4df-0711179ff360,
identity_provider_identity=7fecc1f8-87d3-420b-a2b0-df239c5cee78,
code_id=e14dbf6d-7a69-4842-a54f-cd02552aab47,
username=7fecc1f8-87d3-420b-a2b0-df239c5cee78
Kind regards
--
Marco
> On 9 Mar 2018, at 11:14, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
>
> Hi,
>
> could you try to upgrade to latest version 3.4.3 and see if the issue is still here
for your scenario?
>
> Marek
>
> On 09/03/18 10:51, Marco de Luca wrote:
>> Scenario:
>>
>> We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP
is provided by an external SAML IdP.
>>
>> We want Keycloak to provide SSO between all applications (clients) using the
Keycloak server (3.4.1).
>>
>>
>> Problem:
>>
>> When the first application “A” uses Keycloak to authenticate the user everything
is OK. When application “B” (using the same browser) uses Keycloak to authenticate the
user an error occurs. “We're sorry ...You are already authenticated as different user
‘xx' in this session. Please logout first.” (DIFFERENT_USER_AUTHENTICATED)
>>
>> The current configuration uses the IdP “Subject.NameID” as username
(preferred_username).
>>
>
2482
days inactive
2486
days old
4 comments
2 participants
participants (2)
-
Marco de Luca -
Marek Posolda