Errors in users in Keycloak Database clashing with read-only ldap

I have a really funky setup that works for the most part (actually have this deployed in more than one place) but as a result often run into weird issues.

I have Keycloak doing a lot of heavy lifting for some of my deployments of an HPC web portal called Open OnDemand.

Keycloak first authenticates an unauthenticated user with an upstream IDP. This IDP returns an institution email which is then mapped to Keycloaks user data base which is federated by a read-only, non-import LDAP server. If a user exists in ldap then the email from the IDP should match an email in an ldap entry, from which a username is mapped. This is then forwarded on to the portal where this username should match a local linux user.

In the event that a user does not already exist in ldap, Keycloak creates the user in its local Database and passes the email to my portal as a preferred_username where I have a shim that automatically creates the user in ldap by stripping the domain name from the email. Then, upon subsequent logins, the user is mapped properly with the now existing ldap entry.

This system has been working well even though it does result in both an ldap and local keycloak user existing. The problems arise when there is an error in the ldap entry which leads to a local keycloak user being made which I cant seem to remove, even after fixing the errors in the LDAP entry.

In this case, I will fix the issues in LDAP (2x examples are; multiple LDAP entries with same email or an ldap entry that is incorrectly formatted). When this happens I can look up the incorrectly made user in the users section of the KC admin portal but receive a generic “Unexpected server error” when trying to go to that accounts page. I also cannot delete the account. KC then does not seem to be able to find the corrected LDAP account at all. It seems like these broken accounts are stuck in the KC local user DB.

At the end of the day it would be best for my setup if Keycloak did not use its local user database at all and simply referenced the read only ldap but as I understand it this is not possible at the moment. Is there a way to purge the entire KC local user db? Doing this as needed would have the same effect as if KC never kept a local user DB.

Simply put, the goal is that anyone that passes the upstream IDP authentication can be considered valid and authenticated by KC regardless of if they exist in ldap or not. If they exist in ldap then KC passes their mapped username to my portal, if they do not exist in ldap then KC just passes the email it got from the upstream IDP to my web portal and the portal handles it from there (making the ldap account and other internal bits). I have this system working effectively using a “cookie → create user if unique → automatically set existing user” Authentication flow at the moment buts its a bit hacky. As a result of that hackiness I think I am getting these weird entries in Keycloaks DB if there are LDAP errors and I then cannot seem to remove those erroneous local accounts.

This is understandably a unique setup as I can trust the upstream IDP to only authenticate Institution accounts which are then also valid for authorization with my web portal.

Thanks for any advice!