We are creating an Identity Providers with an ADFS 2012r2 version 3.0.
This ADFS return as SAML NameID(what is used for keycloak user id) the windows account name.
Everything working fine on the set up. But in the use depending on the environnement (windows/linux/phone) The Windows account name arrive with a different case.
example for user jhon doe the windows account name can arrive like:
domain\JDoe or domain\jdoe.
When it happen user have the message: User already exist.
We can't merge user for security reasons.
We can't transform the windows account name before sending it to keycloak because the ADFS version does not support it.
The best would have to specify in the idendity provider settings to ignore the case or the NameId SAML attributes.
I join an SAML response send tokeycloak where the NameID tag is setted to help understand/identify the part of the code concerned.