NOTE: This is no longer required as it's included in KeyCloak by default as of 4.5.0. See here: https://issues.jboss.org/browse/KEYCLOAK-7270?_sscc=t. While 4.5.0 isn't out yet, the docs can be seen in this PR: keycloak/keycloak-documentation#435.
When using an external identity provider, Keycloak will, by default, ask the user if they would like to link their IdP login with an existing account, if one exists. When the external identity provider is an enterprise SSO solution linked to an enterprise user directory with which Keycloak is federated, these additional prompts are undesirable and confusing to users. This small authentication provider can be dropped into a flow to automatically link an IdP login with an existing user, federated or otherwise, without prompting the user.
- Download a release jar or build with maven:
mvn package. - Drop the jar into one of the directories defined in the
providerselement ofstandalone/configuration/keycloak-server.json. - Create or modify an Authentication flow to include the new
Link IDP Loginprovider in the appropriate place. - Modify an Identity Provider to use the above flow.
Typically, you'll want a simple flow that starts with Create User if Unique
and continues to Link IDP Login, both of which should be alternative.
