I would like to setup Keycloak with integration towards a SAML Idp but I have run into a few things I am uncertain how to solve. One thing to keep a note of is I would like to have the option of using local accounts for certain users so when mentioned the details below I mean only for the users who have linked their account through Idp. 1. Is there any way to only have "Verify existing account by Re-authentication" without "Create User If Unique" in my flow? I want only users with an existing account to be able to link and login through the Idp but I do not want a new local account to be created if the Idp user does not have one already. When I remove the "Create User If Unique" the flow does not work and I immediately get a "username/password incorrect" error when I try to login through the Idp 2. Once a user has logged in through the Idp and linked his account, is there any way to completely disable the local account so the user has to login through the Idp account (So removal of users on the Idp side, for example, can be enforced)? If not, maybe some way to achieve the behaviour by expiring the password for that specific user or something of the sort 3. The idea here is to try to take advantage of the Idp user account so that if a user has been removed on the Idp side, he is no longer able to login into keycloak with his local account. Any comments on how to best achieve this (or best practices) would be welcome