Identity Brokering without local accounts

Hi everyone,

we are using a Keycloak instance for providing SSO to a couple of webapps. We do not allow user registration and we do not connect any user directory. The only way of authentication is through two external SAMLv2 identity providers via identity brokering.

While there is an option for not importing local users from a federated user directory, unfortunately there is none for identity brokering. Due to a strict GDPR compliance requirement, under no circumstances can we allow Keycloak to create local copies of all remote user identities that are used to log in.

Is there any way of preventing Keycloak to create local users for identity brokering? Are there technical reasons why Keycloak requires local users? There is an issue about this from 2017, but there seems to be no update to this topic at all: https://issues.redhat.com/browse/KEYCLOAK-4429

Is this something that could be resolved through a custom SPI or any undocumented property? Or is this something with no easy solutions at all?

Thank you all for your efforts to provide us with Keycloak. We really appreciate your work and I am looking forward to your replies.

Greetings from Germany
Fabian

Keycloak creates a local user for an external identity brokered account. There isn’t a great way to stop it from doing this. I supposed you could create your own User Storage SPI implementation, but I’m not 100% sure that will do what you want.

Is there an update on this? I’m running into the same issue