You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
We are seeing inconsistent behavior in Keycloak 26.1 when handling users mapped to multiple organizations.
Flow 1: Direct login users (org mapped to IdP)
Organization is mapped to the IdP.
User is not pre‑created in Keycloak.
User logs in directly via the IdP.
Based on the email, SSO is triggered and the user is automatically added to Keycloak.
If the user is mapped to multiple organizations, SSO works seamlessly across all orgs. No password prompt is required. Flow 2: API‑created federated users
User is created via API with the following payload:
Then user federation is mapped with payload:
{
"userName": "",
"userId": "",
"identityProvider": "oauth2"
}
Only one organization is mapped to the IdP. The remaining orgs do not have IdP mappings.
In this case, the user is prompted for a password when accessing the other orgs (SSO does not carry over).
Steps Tried
Verified org mappings are correct.
Confirmed IdP configuration is valid.
Tested with multiple orgs and different IdPs.
Issue persists only for federated users created via API.
Expected Behavior
Federated users created via API should behave the same as direct login users:
If mapped to multiple organizations, SSO should apply across all orgs without requiring a password prompt.
Actual Behavior
SSO works only for the org mapped to the IdP.
For other orgs, the user is asked to enter a password.
Environment
Keycloak version: 26.3.1
Identity Provider: OAuth2
Organizations: One org mapped to IdP, others without IdP mapping
Question
Is this a limitation in the current organizations + federation implementation, or a bug in how API‑created federated users are handled?
Any guidance on workarounds or confirmation if this is planned to be fixed in upcoming releases would be appreciated
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Description
We are seeing inconsistent behavior in Keycloak 26.1 when handling users mapped to multiple organizations.
Flow 1: Direct login users (org mapped to IdP)
Flow 2: API‑created federated users
{ "username": "", "firstName": "", "lastName": "", "email": "", "requiredActions": [], "emailVerified": true, "enabled": true, "credentials": [], "attributes": { "identityProvider": "oauth2", "brokerUser": true, "userEnabledByBroker": true, "externalId": "" } }Then user federation is mapped with payload:
{
"userName": "",
"userId": "",
"identityProvider": "oauth2"
}
Only one organization is mapped to the IdP. The remaining orgs do not have IdP mappings.
In this case, the user is prompted for a password when accessing the other orgs (SSO does not carry over).
Steps Tried
Expected Behavior
Federated users created via API should behave the same as direct login users:
Actual Behavior
Environment
Question
Is this a limitation in the current organizations + federation implementation, or a bug in how API‑created federated users are handled?
Any guidance on workarounds or confirmation if this is planned to be fixed in upcoming releases would be appreciated
Beta Was this translation helpful? Give feedback.
All reactions