So, step #8 states that "Keycloak is going to check if the response from the identity provider is valid. If valid, it will create an user or just skip that if the user already exists".

Does that mean that KeyCloak will have a User, against which roles can be mapped?  This will be a user that would be, for example, displayed in the admin console just like any locally-defined User?

I'm trying to piece this all together, from where we can start assigning roles to these users whose authentication has been performed by an external IdentityProvider.

Following on from that, the user would continue to authenticate against the Identity Provider?  If they already exist, that's mentioned later on it the same text where the accounts are linked?

If I've got this wrong, please let me know. :)

Thanks for any help,

Ed