SCIM and SSO Handling - Automatic Linking of User Created through SCIM and SSO

[saravanad]

Hi @Captain-P-Goldfish ,

This is not an issue on the scim jar, more like know how request, not sure how to raise that separately, hence raising it in Issue category

From OKTA(IDP), the users are pushed to Keycloak via SCIM. OKTA is also used for Single Sign On(SSO) and Keycloaks acts as a Identity Broker, between our application and OKTA which act as a Identity Provider(IDP). When users are logged in for the first time, they are re-directed to Review Profile page in Keycloak, upon filling that, keycloak detects that there is already an user account with the similar name and whether it needs to link it.

When the User clicks on Add to Existing Account, then it ask for Authentication. Since the User is authenticated via OKTA, we would not be able to authenticate the user in keycloak directly. Hence we are unable the link the user account.

The work around that we have now is as an Admin User, try to link the account by going Users->(select specific User)->Identity Provider Link and manually linking by giving the username created through SCIM and well as through OKTA as shown below

Could you please share any insights on how this can be handled? Any idea on how to link the user accounts automatically at the time creation of users through SCIM.

Thanks, Saravana

[Captain-P-Goldfish]

You can do this by changing the authentication-flow. Copy the first-broker-login-flow and replace the subflow Copy of first broker login First broker login-Conditional OTP for the two steps Detect existing broker user and Automatically set existing user. If you do this the user will not be asked for authentication if the accounts are linked.

[saravanad]

Thanks @Captain-P-Goldfish. This worked.