Cris, it's probably too late for you, but Dmitry Telegin has answered our burning question. See code below for tips: AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); // take a look at org.keycloak.broker.provider.BrokeredIdentityContext to figure out what else you can obtain from that object. SerializedBrokeredIdentityContext = Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext"); AbstractIdpAuthenticator = Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator"); Response = Java.type("javax.ws.rs.core.Response"); MediaType = Java.type("javax.ws.rs.core.MediaType"); response = Response.status(401).entity("<h1>You must have an existing account to log in.</h1>").type(MediaType.TEXT_HTML_TYPE).build(); users = session.users().getUsers(realm, false); function authenticate(context) { var serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); var biCtx = serializedCtx.deserialize(session, authenticationSession); var idpUsername = biCtx.username; LOG.info("username = " + idpUsername); LOG.info("alias = " + biCtx.idpConfig.alias); for(var u in users) { //LOG.info("u = " + users[u].getEmail()); if(idpUsername===users[u].getEmail()) { context.success(); return; } } context.failure(AuthenticationFlowError.USER_DISABLED, response); return; } On Fri, 14 Dec 2018 at 08:41, Cristóvão Cordeiro < cristovao.cordeiro(a)sixsq.com&gt; wrote: -- Regards, Geoffrey Cleaves