Identity Provider for Provisioned Accounts

We are currently transitioning much of our IAM capabilities across applications to Keycloak.

In one particular application, we are using Keycloak to provide SSO to upstream identity providers. Each “team” in this application can configure their own provider, which we setup via the Keycloak admin API and use the kc_idp_hint whenever members of this team need to log into the application.

We provision user accounts in Keycloak via the admin API. If the user ID from the identity provider matches the one we’ve provisioned, everything in the flow works great.

However, if the provider’s user ID does not match what we’ve provisioned, we would like Keycloak to redirect back to our application so it can handle the situation properly. At this phase of integration, we don’t plan to have the users interact with the Keycloak account UI.

What I’m trying to do seems similar to this unsolved mailing list post from last year:
Identity Provider for Provisioned Accounts.

We already have a custom authentication flow for first broker login that only does “Automatically Set Existing User”. If the identity provider user ID does not match what we’ve provisioned, the browser is redirected to /auth/realms/{realm}/login-actions/first-broker-login on the Keycloak server.

Is there a way to build an authentication flow step or execution to redirect to the client’s redirect_uri when a match is not possible?

I may have seen an example of this that uses “scripts”, but I’m not inclined to enable those on the server if I can avoid it.