we are using a Keycloak instance for providing SSO to a couple of webapps. We do not allow user registration and we do not connect any user directory. The only way of authentication is through two external SAMLv2 identity providers via identity brokering.
While there is an option for not importing local users from a federated user directory, unfortunately there is none for identity brokering. Due to a strict GDPR compliance requirement, under no circumstances can we allow Keycloak to create local copies of all remote user identities that are used to log in.
Is there any way of preventing Keycloak to create local users for identity brokering? Are there technical reasons why Keycloak requires local users? There is an issue about this from 2017, but there seems to be no update to this topic at all: https://issues.redhat.com/browse/KEYCLOAK-4429
Is this something that could be resolved through a custom SPI or any undocumented property? Or is this something with no easy solutions at all?
Thank you all for your efforts to provide us with Keycloak. We really appreciate your work and I am looking forward to your replies.
Greetings from Germany