[keycloak-user] multiple keycloak accounts linked to 1 IdP identity

[Michal Hlavac]

Hi,

is it possible to have multiple keycloak users mapped to 1 identity from e.g. SAMLv2 Identity Provider. 
>From my understanding of entity model, findUserByFederatedIdentityAndRealm query and browser authentication flow, this is not possible. Using federated identity links you can have only 1 identity mapped to 1 keycloak user. Somethink like List<UserModel> users = UserProvider.getUsersByFederatedIdentity() does not exists.

Question is, if it's possible to implement custom Authenticators and flow where authenticators will map provider identity to user attribute, then find users by attribute and provide account selector to choose one by this attribute value. And also if it is best way how to do that?

thanks, m.