How to enforce the federated identity to use the same email / NameID?

I’ve configured Keycloak with a SAML Identity Provider, and things are working great. However, one part that I cannot explain is how the “First Broker Login” flow works (at least by default):

  1. User logins through their IDP, let’s say they used the e-mail “”, and is redirected to Keycloak
  2. Keycloak executes the “Review Profile” step, and displays a Form for the user, so the user may supply missing information like their First/Last name. The problem is that the form also allows the user to change their username AND email than what they just used to login to their IDP (step 1)

I tried changing the username/email to e.g. “” and Keycloak used that when provisioning the user locally, which is very different from what I wanted.

I understand that from Keycloak perspective this is a federated identity, and it simply linked this new account with the external IDP account, and while I appreciate this feature, I need to disable it in my case so that the email of the local user is always the same as that of the federated identity.

What seemed to “fix” this is that I modify the “First Broker Login” flow and disable the “Review Profile” step. But I’m worried that I might be just “hiding” the problem, and would appreciate any advise on how to approach this correctly.

Have a wonderful day/night!


I faced the same problem.
Is it possible to disable editing some fields on “Review Profile” step?
Probably it can be done by changing theme but is there another way ?