[keycloak-user] Keycloak 5.0.0 SAML ID Brokering Provider User ID Problems

Joel DuBien joel at spotx.tv
Fri May 17 13:24:56 EDT 2019


Hello,

I'm investigating using Keycloak as an Identity Broker to connect to some
SAML IdPs. I'm running into a problem where the SAML IdP is returning a
response to Keycloak that somehow contains a unique Provider User ID and
Provider Username with each login, even when the same identity logins in
mulitple times. This results in a duplicate key error for keycloak, since
keycloak expects a single identity to have a single Provider User ID, not a
new one with each login.

I'm using Keycloak 5.0.0.

This is an example of the Provider User ID and the Provider Username that
Keycloak is seeing from the SAML response:
_0663be72e9e02b5d40f320b3a42ec757d6b842539f

I have verified that my SAML response is using a NameID Policy Format of
"Persistent", and that the NameID returned by the SAML response is based on
a consistent ID that wouldn't change for the same account.

Does anyone have experience with this? I'm at a loss as to how to proceed
to get this integration working correctly.

TYIA for your help!

-Joel


More information about the keycloak-user mailing list