we use an external provisioning service to create user accounts in an identity provider and broker and link them together. We have disabled the “Review Profile” and “Login User Creation Or Linking” steps in the “First Broker Login” flow. With this setup we have the following behaviour:
- If a user account is available in the ip and broker, the login is possible.
- If a user account is available in the ip but not in the broker, the login fails.
This is exactly what we want. But with this setup, the user still has a session in the Identity Provider in the second case. How can we configure Keycloak that it logs out the user in the identity provider if it is not known in the broker and therefore the login fails?