Share via

Keycloak Invalid username or password error with customers using Active Directory as IdP

ghm1289 0 Reputation points
2024-01-10T16:54:50.17+00:00

I have an issue where customers are using Microsoft Active Directory + Okta and receiving an invalid username/password error in Keycloak after providing the correct password.

Flow: User successuflly logs into Microsoft and is redirected to Okta homepage --> User clicks on app --> Invalid username/password error comes from Keycloak.

Workaround: Manually unlink and re-link idp in Keycloak

We're seeing this occur when a customer has mixed casing in their email address (i.e. [******@Test.com]). All affected users are using Microsoft Active Directory. The problem is I can't reproduce it. See logs below, note the following:

  •  userId=null
  •  auth_method=openid-connect (the idp in keycloak is set to SAML)
  • `identity_provider_identity=
Not Monitored
Not Monitored
Tag not monitored by Microsoft.
42,046 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 35,511 Reputation points
    2024-01-10T23:34:49.9533333+00:00

    Hi @ghm1289 It seems that Keycloak is the IDP that validates the password instead of transferring request authentication to AD like ADFS. That's why the user gets the wrong password error message when he types his AD password. So this is not a problem on the AD side but rather on the Keycloak side and for that I recommend that you ask your question in a forum dedicated to Keycloak : https://www.keycloak.org/community

    ---Please don't forget to accept helpful answer

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.