[keycloak-dev] User Session Reset

Hello, I am trying to implement the following scenario with KC. We have two applications, SP1 and SP2, that use KC. KC has identity broker pointing to external IDP. Desired scenario: 1. User agent goes to SP1, he's being redirected to KC and then to extIDP 2. User authenticated in extIDP, and being redirected to KC and then to SP1 with some attributes from extIDP 3. SP1 creates user entity in SP2 basing on attributes from extIDP and attributes collected by SP1 4. User entity in SP2 is synced to user federation store used by KC. 5. User should be able to SSO to SP2. Session in SP2 should obtain attributes set by SP1. The problem is 2 different user entities (instances of UserModel) created at KC at step #2 and #4. I plan to drop 1st entity, and set identity federation with extIDP for 2nd entity. But we also need to change user session in KC, it should contain 2nd user entity data. Otherwise SSO to SP2 won't work. Surprisingly, I've found a method org.keycloak.models.UserSessionModel#restartSession that looks like does the job. I plan to add custom Authenticator and call session reset from there. How do you think, will it work? Thank you