It seems there is no out of the box solution provided by Keycloak to prevent SSO users/ external IdP users from setting their password from reset password functionality.
We also found [KEYCLOAK-4429] No import option for identity brokering - Red Hat Issue Tracker which indicates there is no way to prevent importing the external SSO users to Keycloak when logging in as it ends up creating a local database copy of the users.
Looking for ideas to get around this.
Hi,
You could write a small Javascript authenticator which runs in a post broker login flow. This authenticator sets a custom user attribute which marks the user as “is from external broker”. Then you modify the password ftl templates in the login theme in a way that they check if this flag is set in the user’s attributes. If the attribute is there, disable the change password submit button.
regards,
Matthias
Any solution which relies on hiding form fields is an insecure patch. As fas as my research indicates, the best solution at this moment is to remove the manage-account role from users. Unfortunately this is overkill in most situation since it would be nice to allow users access to other “/account” screens and data.