[keycloak-user] SAML Subsequent login fails with Account disabled error

Bill Burke bburke at redhat.com
Thu Aug 11 09:01:35 EDT 2016 

I don't see anything in code.  Broker first time login creates the user 
and sets enabled to true.

#1 Turn on debugging

#2 Upgrade to 1.9.8.  Our product is based on 1.9.8 and A LOT of work 
went into stabilizing the codebase between 1.9.2 and 1.9.8.


On 8/11/16 8:20 AM, Kamal Jagadevan wrote:
> Hello,
>   We are using Keycloak 1.9.2 for our Authentication flow and SAML 
> interactions (not using SAML adapters) and they are working well in 
> DEV/QA instances.
> But in Integration environment we are seeing a strange issue of ONLY 
> FIRST TIME login works fine. Further login fails with the following 
> error even though user is enabled.
>
> "Account is disabled, contact admin."  Is there anything obvious that 
> we have missed please advise. Enabling debug log didnt reveal anything 
> other than fetching entities from db.
> Any inputs to debug further is also welcome.
>
> Setting in Federated Identity -  First login flow is set to First 
> Broker Login flow
> Settings in First login flow - Disabled Review profile page, rest of 
> the properties was set to default values altering rest of the fields 
> didnt change the behavior.
>
>
> Following are the sequence of steps
>
>  1. With the help of static login URL to Keycloak with suffixed by the
>     KC_IDP_HINT, Keycloak redirects to External IDP
>  2. Verified for the SAML request being sent using SAML Tracer.
>  3. External IDP login prompts for username and password.
>  4. After entering credentials, redirected back to Keycloak for
>     getting token but THROWS error "Account is disabled, contact admin"
>  5. Verified the SAML response with Assertion status as success using
>     SAML tracer.
>  6. Verified the user is enabled from the Admin console.
>  7. Verified the user_entity table for the status.
>
>
> Best
> Kamal
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/7aba84d5/attachment.html

More information about the keycloak-user mailing list