I have configured Keycloak to the SAML/IDP given by "samltest.id" and it works if the user logs into the application. On some user actions I want to enforce the user to enter his credentials again.
In the application I use the login method in the Keycloak JS adapter as follows:
keycloak.login({ prompt: 'login' })
Also I set the "force authentication" flag in the SAML configuration in Keycloak.
So, what is happening is, that after trying the re-login, the user is redirected to the IDP (like expected) but after entering his credentials a WARN message is shown in Keycloak log:
WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code
and the user is again redirected to the IDP.
After entering the credentials again, instead of updating the active user session, an additional session is created by Keycloak (so I can see two sessions for the user in the Keycloak admin console). This way, the token (which belongs to the first session) will not be updated, so in the application I can not recognize the success of the re-login of the user.
Currently I use the Keycloak version 7.0.0 This re-login behavior work just fine, if I do it on user authenticated directly by Keycloak .
This behavior I can not just reproduce with "samltest.id" but also with another IDP.
I also thought about, to do a logout instead of re-login, but this will close the user session and if the user decides to cancel his action, he will not be able to go just back to the application without authenticating himself again.
Has someone an idea how to solve this issue? Or if it can be solved at all?
