Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

organizations

Describe the bug

User (that email domain matches domain already used in any organizations) without any organization assigned gets organization claim in access token witch is in my opinion very very unwanted situation.
Issue occurs when we create user with email domain that is assigned to organization. Then even so user is not a part of the organization gets organization claim in access token. (user has no organization and organization has no users).
Wrong claim is assigned only using client with real application - evaluation tool for that particular client works correctly.

Version

nightly

Regression

• The issue is a regression

Expected behavior

User with no organization has no organization claim - even if its email's domain name is the same as one used in existing organization.

Actual behavior

User with no organization gets organization token claim with real organization data.

How to Reproduce?

1. Create realm
2. Enable organizations
3. Set email as username
4. Modify client scope "organization" in client scopes:

   1. Set as default
      

   2. Modify default mapper 'organizations' in client scope

   Before:

   After:

5. Create client that will be used by real application.
6. Ensure that scope organization is default
7. Create organizations

9. Create user with mail that is used by one of organizations (do not assign to any organization)

Org also has no users:

11. Log in to application
12. Token contains organization based on domain while user is not assigned to any domain

14. Evaluation tool works correctly

(wrote all steps I've done)

Anything else?

No response