[keycloak-user] Fw: Keycloak as stateless broker

Hi, We would like to use keycloak as an identity broker in such a way that the identity collected from the identity provider are not permanently stored, so to avoid a build-up of identities stored on the broker. Ideally, we would like: * Keycloak, as identity broker to accept SAML assertion from one of several identity providers * To use (custom) authentication flows to normalise or transform some of the attributes to create a new UserModel and consequentially a new SAML response back to the service provider * To not bring the UserModel (or any other personal details to rest in the database), though we would accept storing just the unique ID of the user if we could avoid storing other attributes, whilst still propagating them back to the service provider * Ideally to make authorisation decisions based on groups or roles during the process – and stopping the authentication if those fail Any ideas on the best way to proceed would be most appreciated. Leo (p.s. this email was originally sent to keycloak-dev distort by mistake. apologies)