We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call.   I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.

Can this be done with some modification of federation?   

We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.

Thank you,

Reed Lewis