Our Keycloak is configured with User Federation via AD, but we also allow an IDP login via ADFS on prem.
We have a custom script configured that disables users who do not login in the last 90 days.
We still don’t want to let these users login via AD (Username + Password), but we want to be able to allow these users to login via IDP.
So my question is, is this possible.
Our flow we want is if they login via IDP (and it’s already linked to an existing account) we ‘re-enable’ the account and allow them to login, or if they haven’t ‘linked’ it to an existing AD Account that it enabled is so they can ‘link’ it to a disabled account.
Is this as simple as updating the IDP Login flow to somehow enable the account either before linking (for existing AD users newly linking) or before completing the login process (those already linked but haven’t logged in in 90 days so are disabled)?