Error activating/deactivating user: "User <user> does not have idpId set"

Version/Environment:

Any version, though most likely to occur if you're an established customer who upgraded from one of our older (pre-Keycloak) versions.

Issue:

When trying to activate or deactivate a user in the Domino Admin pages, you receive the error message "User could not be activated: User <user> does not have idpId set" or "User could not be deactivated: User <user> does not have idpId set".

Root Cause:

This issue can occur if the MongoDB record for a specific user lacks an entry for "idpId", a field that facilitates communication between the Domino UI and Keycloak.

Resolution:

*Note: This resolution involved editing records in MongoDB. While the steps outlined in this article are fairly straightforward, if you have any questions or are not comfortable executing these steps, please don't hesitate to reach out to Domino Support for assistance!

To fix this issue, the user needs their idpId from Keycloak added to their MongoDB user record in Domino. MongoDB can be accessed in the Domino Admin UI under Advanced > MongoDB, and Keycloak is accessed at https://<your domino url>/auth/admin.

1. Locate the user in MongoDB. The user ID from the error message can be used for this step. Confirm there is no field/value for "idpId". 
   
   Example MongoDB query:

   db.users.find({"loginId.id":"domino_user"}).pretty()

   
   Example Results (note the lack of "idpId" field):
   

   {
   	"_id" : ObjectId("631765c41af713753257ab76"),
   	"loginId" : {
   		"id" : "domino_user",
   		"lowercaseId" : "domino_user"
   	},
   	"firstName" : "Domino",
   	"lastName" : "User",
   	"fullName" : "Domino User",
   	"email" : "test@email.com",
   	"created" : ISODate("2022-09-06T15:22:44.476Z"),
   	"planInfo" : {
   		"trialStartDate" : ISODate("2022-09-06T15:22:44.476Z"),
   		"freeRunsForAllProjects" : false
   	},
   	"_systemRoles" : [
   		"Practitioner"
   	],
   	"sshKeys" : [ ],
   	"gitDomainCredentials" : [ ],
   	"deactivatedFlag" : true,
   	"productOptIn" : true,
   	"marketingOptIn" : false,
   	"isDominoEmployee" : false
   }

      
2. Locate the user in Keycloak and copy their idpId. This will be the value in the "ID" field.
       
3. Update the user's MongoDB record with the "idpId" (the "ID" from Keycloak). If your query in Step 1 only returned a single user, this could be done with the user's loginId, however using the "_id" field to identify the user to update will always ensure only a single record is updated and there are no unintended consequences. 
   
   Example MongoDB Query:

   db.users.update({"_id" : ObjectId("631765c41af713753257ab76")}, {$set: {"idpId":"2fc9f176-49c4-49a3-8c63-8a0d3a956420"}})

   
   Expected Result:
   

   WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

       
4. Re-run the query from Step 1 to double check the "idpId" is now added
   
   Example MongoDB query: db.users.find({"loginId.id":"domino_user"}).pretty()
   
   Example Results:
   

   {
   	"_id" : ObjectId("631765c41af713753257ab76"),
   	"loginId" : {
   		"id" : "domino_user",
   		"lowercaseId" : "domino_user"
   	},
   	"firstName" : "Domino",
   	"lastName" : "User",
   	"fullName" : "Domino User",
   	"email" : "test@email.com",
   	"created" : ISODate("2022-09-06T15:22:44.476Z"),
   	"planInfo" : {
   		"trialStartDate" : ISODate("2022-09-06T15:22:44.476Z"),
   		"freeRunsForAllProjects" : false
   	},
   	"_systemRoles" : [
   		"Practitioner"
   	],
   	"sshKeys" : [ ],
   	"gitDomainCredentials" : [ ],
   	"deactivatedFlag" : false,
   	"productOptIn" : true,
   	"marketingOptIn" : false,
   	"isDominoEmployee" : false,
   	"idpId" : "2fc9f176-49c4-49a3-8c63-8a0d3a956420",
   	"hashedApiKey" : "0343cc45c0f21ed8a50a45805b97b28db537cb0e"
   }

It should now be possible to Activate/Deactivate this user in Domino.