Keycloak mapping user wrong

[F1L337]

Hello everyone,

I have freshly deployed Defguard version 2.0.0-beta1, connected to LDAP and Keycloak.

During the initial setup, I used my own email address for the first admin account (root_usr), with the intention of changing it later. This same email address is also used by my standard user (joe_usr) in the corporate LDAP, which in turn syncs users to Keycloak.

Now, when I authenticate with joe_usr via Keycloak in Defguard (by clicking "Sign in with Keycloak"), I am automatically logged in as root_usr. This behavior persists even after changing the email address of root_usr afterward.

Additionally, I performed a self-enrollment on another notebook using joe_usr via Keycloak. The device is listed under the root_usr profile instead of joe_usr, even though joe_usr exists correctly under "Users" in Defguard.

However, when I log in to the core GUI using joe_usr with LDAP credentials (without Keycloak), I am correctly authenticated as joe_usr.

I have disabled automatic account creation so that only users belonging to a specific LDAP group are allowed to log in.

I also tried creating another local admin user and deleting root_usr, but this is not possible, even when attempting it as an authorized admin.

Does anyone have an idea how to resolve this issue?

[teon]

@F1L337 thank you for the feedback - we will look into this ASAP and get back to you either with details or links to bugs that should be fixed in beta2 (early next week).

[t-aleksander]

@F1L337
Hello,
Defguard creates an account association based on the email address between the Defguard account and your external provider's account only at first login. Subsequent logins are performed using your provider's unique user ID (which Defguard stores on that first login), not the email address. That's why you are constantly being logged into the root_usr account: Defguard remembered that association the first time, since it matched your email addresses, and now continues to use that account, even despite you changing the email address.

If you'd like for Defguard to forget that association, you must clear the openid_sub field for the root_usr. This can be currently only performed by executing the following SQL query on the Defguard database: UPDATE "user" SET openid_sub = null WHERE username = 'root_usr';. Then, on next OpenID login, Defguard should associate your OpenID account with joe_usr (if the email address match, that is).

[F1L337]

Thank you! I´ll test it.

[F1L337]

It worked perfectly!