[keycloak-user] Avoid collisions and links of external accounts

[Asier Aguado Corman]

Dear Keycloak users/developers,

We're trying to configure Keycloak to use an LDAP user federation together with identity brokering on social providers (such as GitHub). We want these accounts to be dissociated as different logins, i.e. different usernames or unique IDs without adding them to an existing account. The Keycloak login flow currently allows for duplicate emails, but if a social account logs in with the same username as an internal LDAP account this will result in a username collision. This is not good for our use case, as we don't want to associate these accounts in Keycloak.

In summary,

1) We can't use login with email: we don't want to trust an email from an external provider. We can avoid this by disabling it and allowing duplicate emails. It would be great though to still allow email login for LDAP users.

2) We would need a way to generate usernames from external accounts, something like mapping 'asieraguado' to 'asieraguado at github', so they can be unique. We think that linking accounts will be confusing for our users, and we don't want them to select any username.

Any ideas on how to achieve this configuration?

Best regards,
Asier Aguado