Hi guys, I am currently trying to implement the following SAML broker flow with KC 3.0.1.Final: Assumption: User not known User goes to App User is redirected to KC User is redirected to SAML IDP and is authenticated there with smartcard User is redirected back to App In KC user was created and the assertion attributes were mapped Now user logs out User goes to App User is redirected to KC User is redirected to SAML IDP and is authenticated there with smartcard But now KC says invalid username or password How can it be done, that on second time IDP brokering, the user is redirect to the app without any password check by using the already existing KC user info on username match (may updates the mapping beforehand in case saml attributes changed)? thanks regards lason -- View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-Identity-Broker-First-Login... Sent from the keycloak-user mailing list archive at Nabble.com.