[keycloak-user] Problem: We're sorry ...You are already authenticated as different user
Marco de Luca
marco.deluca at carity.se
Tue Mar 13 06:06:59 EDT 2018
RESOLVED:
In our scenario keycloak was using the SAML response NameID as username. The SAML IdP creates a new NameID for each authentication.
Therefor keycloak received a different username (NameID) pointing to the same keycloak ID (during SSO session).
We are now using the “Username Template Importer” and trying automatic account linking instead.
--
Marco
> On 12 Mar 2018, at 14:12, Marco de Luca <marco.deluca at carity.se> wrote:
>
> Hello,
>
> The error registers as follow in the Keycloak log. Any suggestions?
>
> Event type: REGISTER_ERROR
> Error: different_user_authenticated
>
> 13:07:05,127 WARN [org.keycloak.events] (default task-50) type=REGISTER_ERROR, realmId=1177, clientId=demo-app, userId=a0994120-e9cd-4ae5-b6b9-e92dc3bf8206, ipAddress=172.30.181.189, error=different_user_authenticated, identity_provider=idp_acctest, register_method=broker, consent=no_consent_required, previous_user=d0cae6fa-caa8-4d51-b4df-0711179ff360, identity_provider_identity=7fecc1f8-87d3-420b-a2b0-df239c5cee78, code_id=e14dbf6d-7a69-4842-a54f-cd02552aab47, username=7fecc1f8-87d3-420b-a2b0-df239c5cee78
>
>
> Kind regards
> --
> Marco
>
>
>
>> On 9 Mar 2018, at 11:14, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> Hi,
>>
>> could you try to upgrade to latest version 3.4.3 and see if the issue is still here for your scenario?
>>
>> Marek
>>
>> On 09/03/18 10:51, Marco de Luca wrote:
>>> Scenario:
>>>
>>> We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP is provided by an external SAML IdP.
>>>
>>> We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.1).
>>>
>>>
>>> Problem:
>>>
>>> When the first application “A” uses Keycloak to authenticate the user everything is OK. When application “B” (using the same browser) uses Keycloak to authenticate the user an error occurs. “We're sorry ...You are already authenticated as different user ‘xx' in this session. Please logout first.” (DIFFERENT_USER_AUTHENTICATED)
>>>
>>> The current configuration uses the IdP “Subject.NameID” as username (preferred_username).
>>>
>>
>
More information about the keycloak-user
mailing list