[keycloak-user] Enforce Idp login instead of local account for Idp linked accounts?

[Byte Flinger]

Nobody who is experienced on setting up the authentication flow in Keycloak?

On Wed, 6 Dec 2017, 12:03 Byte Flinger, <byteflinger at gmail.com> wrote:

> I would like to setup Keycloak with integration towards a SAML Idp but I
> have run into a few things I am uncertain how to solve. One thing to keep a
> note of is I would like to have the option of using local accounts for
> certain users so when mentioned the details below I mean only for the users
> who have linked their account through Idp.
>
> 1. Is there any way to only have "Verify existing account by
> Re-authentication" without "Create User If Unique" in my flow? I want
> only users with an existing account to be able to link and login through
> the Idp but I do not want a new local account to be created if the Idp user
> does not have one already. When I remove the "Create User If Unique" the
> flow does not work and I immediately get a "username/password incorrect"
> error when I try to login through the Idp
>
> 2. Once a user has logged in through the Idp and linked his account, is
> there any way to completely disable the local account so the user has to
> login through the Idp account (So removal of users on the Idp side, for
> example, can be enforced)? If not, maybe some way to achieve the behaviour
> by expiring the password for that specific user or something of the sort
>
> 3. The idea here is to try to take advantage of the Idp user account so
> that if a user has been removed on the Idp side, he is no longer able to
> login into keycloak with his local account. Any comments on how to best
> achieve this (or best practices) would be welcome
>