I'm currently working to implement the following requirements:
- users are managed externally via LDAP, self-registrations disabled;
- there is an external IdP;
- generally, there is no way to automatically match IdP identity with Keycloak's one,
so IdP linking will always be performed by the user manually;
- in order to do that, the user should click the IdP icon in the login screen,
authenticate with the IdP, get back to Keycloak and "claim" his/her Keycloak
account by entering correct username and password.
Currently, the closest thing in Keycloak is
"idp-username-password-form", aka "Username Password Form for identity
However, it 1) prefills username field and makes it non-editable, 2) depends on the
preceding IdpCreateUserIfUniqueAuthenticator execution to provide existing user model
(EXISTING_USER_INFO auth note).
My proposal is to improve IdpUsernamePasswordForm by allowing its execution even without
the preceding IdpCreateUserIfUniqueAuthenticator. In the absence of EXISTING_USER_INFO,
IdpUsernamePasswordForm should allow the user to manually enter username.
Please let me know if you think it's worth having this in Keycloak. Regards,