How to Automatically Link Existing Users with SAML Identity Provider in Keycloak?

Hello everyone,

I have integrated an external identity provider using SAML with my Keycloak setup, and everything is working fine. However, I would like to streamline the user experience in the following scenario:

  1. The user already exists in Keycloak.
  2. The user tries to connect using their third-party SAML provider account.

Currently, Keycloak displays an “Account already exists” form with two buttons:

  • “Review profile”
  • “Add to existing account”

I want to achieve the following:

  • Skip the “Account already exists” form entirely.
  • Automatically send a confirmation link to the user’s email.
  • Upon clicking the link in the email, the user’s Keycloak account should be linked with their SAML provider account.

Here are the steps I’ve taken so far:

  • I tried duplicating the “First Broker Login” authentication flow and modifying various parameters.
  • I managed to remove the form by using the “reauthentication approach.”
  • However, I couldn’t remove the form while keeping the “confirmation link sent by email” approach intact.
  • I also attempted to create a new workflow from scratch, which did send an email but failed to establish the link between Keycloak and the third-party IDP upon clicking the link.

My questions are:

  1. Is it possible to achieve this workflow in Keycloak?
  2. If yes, can anyone provide guidance or a working example of the configuration/workflow to achieve this?

Any help or suggestions would be greatly appreciated!

Thank you!