we are currently using Keycloak as a broker to do the SAML authentication to an external service for us. Keycloak is configured to authenticate the user with an external IdP (our application) that is set with the "Authenticate by default" flag to ON.

Is it possible to still force the display of the Keycloak login page, but only for some scenarios? We would like to have system integration users that don't exist in our application (not exposed to our customers), but would still be usable to access the external service (with proper roles).

Thanks,

Gabriel
--