Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
identity-brokering
Describe the bug
When keycloak diverts the auth flow to a customer IdP and receives a SAML response, it creates a user record with "null" username, and it happens when the 'username' mapped incoming SAML attribute is not existing in the SAML response. This is a bug because a null username does not allow us to track who all are in session.
Also, we can't seem to delete this record from admin console UI because the record is constrained to federated_identity and user_role_mappings tables at the DB level. So, it shows error
The customers when presented with profile review page on first login also see the username as null (because the mapped attribute did not exist), and if they accept the profile with null then it creates a null record.
Version
26.1.0
Regression
- The issue is a regression
Expected behavior
The attempt to create a null username record should fail.
Actual behavior
It is creating a null username record
How to Reproduce?
-
<
6A51
li>map a 3rd party IDP in a realm
- create an auth flow that delegates to this external IdP
- receive SAML response but make sure that the incoming SAML attribute that is mapped to "username" KC attribute is not existing in the response.
- accept the profile with null username.
Anything else?
No response