we use identity brokering for our users to decouple internal IdP broker (providing authorization and uniform SSO protocol for our apps) and external IdP (not managed by us; providing authentication of the users). This decouple works perfectly as it leaves the security policy enforcement (MFA, password rotations…) in hands of the external provider.
We’d like to achieve a similar behavior also for service accounts – let the external IdP manage the identity and handle policies. While the internal IdP (broker) would handle the application specific details (internal roles, UMA…).
But I have not been able to find in the docs, if such flow is standard or even possible, because the user brokering is based on redirects (that will not work for service accounts).
Is the service account brokering possible? Or is there other option how to achieve a similar behavior?