The simultaneous use of multiple identity providers

Last Updated : Jun 10, 2026 |

You can configure multiple identity providers on Keycloak, and the same enterprise user can have an account on each of these identity providers. Prior to Release 10.1.0, however, the user could select and use only one of the configured identity providers. Starting from Release 10.1.0, Keycloak supports the simultaneous use of multiple identity providers. Users have an option to link their identity provider accounts, so that the user can choose which identity provider to use each time they log in to their clients. The account linking procedure is performed only once when the user logs in to a client using a new identity provider.

Note:

  • Keycloak considers user accounts registered on different identity providers as belonging to the same user if these accounts use the same email address.

  • For security reasons, Avaya Aura® Device Services does not automatically link user accounts registered on different identity providers.

To disable the use of an identity provider, delete its configuration from Keycloak. If users of that identity provider have accounts on other identity providers, they still can use the authentication service.

The account linking functionality is enabled by default. If required, you can configure the default account linking options in your realm on Keycloak at Authentication > Flow > First Broker Login. For more information about the available configuration options, see First Login Flow in Server Administration Guide.

Identity provider account linking flow

The account linking flow looks as follows:

  1. A user logs in to a client using an identity provider.

  2. The user re-logs in or logs in to another device using another identity provider.

  3. Keycloak notifies the user that the user account already exists.

  4. The user selects the Add to existing account option on the Login screen.

  5. Keycloak prompts the user to select an identity provider.

  6. User selects an identity provider and enters authentication data.

  7. Keycloak links the user accounts.

Prerequisites

To allow enterprise users to use multiple identity providers, you must:

  • Disable the default identity provider, if configured. When the default identity provider is used, Keycloak automatically logs the user in to the client. Therefore, the user cannot select an identity provider when logging in to their client.

  • Ensure that the NameID Policy Format parameter is set to Email on Keycloak for the identity provider. For more information about configuring identity provider settings on Keycloak, see the Avaya Aura® Device Services integration section for an appropriate identity provider.