Keycloak as identity broker only without managing users


We want to use keycloak as Identity Broker only.
We don’t need to have users inside keycloak.
Users are declared in a third-party application with credentials (login/password) .
It is possible to have this flow ?
Keycloak receives user credentials then communicates with third-party application (identity provider) with SAML 2 or OIDC to authorize or not the user before giving an request answer to keycloak.
In keycloak side, we configure only the third-party application as identity provider and we don’t declare any user in keycloak.
Thank you

In order to complete an Authentication Flow and return a token, Keycloak has to have an internal user (either local or federated). For identity brokering, this means that Keycloak creates a user “just in time” after a successful authentication with the third-party identity provider.

Yes and no :wink: - Keycloak creates a user, yes. But there is the experimental feature transient-users, which can be used that users from external IdPs are only held in-memory as long as their session is valid in Keycloak. Once the session has ended, the user is also gone, there will be no user stored in the database.

The feature is still experimental, but it works pretty well in all of my tests.



Thank for your answers.
This is my current example:
Web application with keycloak.js <==> keycloak <==> github as identity provider
When I try to access to my web application, I’m redirected to
GitHub login page
Once logged in GitHub, I’m redirected to keycloak “Update Account Information” page

Can I avoid this “Update Account Information” page ?

Thank you

Hey Ghazi,

you can try to change this behaviour in the “first broker login” Authentication Flow.
Just Click that Settings-wheel for the review profile step and turn off “Update Profile on First Login”

1 Like