Prevent password reset for external SSO users

It seems there is no out of the box solution provided by Keycloak to prevent SSO users/ external IdP users from setting their password from reset password functionality.

We also found [KEYCLOAK-4429] No import option for identity brokering - Red Hat Issue Tracker which indicates there is no way to prevent importing the external SSO users to Keycloak when logging in as it ends up creating a local database copy of the users.

Looking for ideas to get around this.


You could write a small Javascript authenticator which runs in a post broker login flow. This authenticator sets a custom user attribute which marks the user as “is from external broker”. Then you modify the password ftl templates in the login theme in a way that they check if this flag is set in the user’s attributes. If the attribute is there, disable the change password submit button.