We setup an external identity provider to a Keycloak realm on our local instance. In this external provider, there are thousand of users but only a few of them should have access to one of our applications.
Our current flow is the following: the user wants to login to our application, she then gets redirected to the external identity provider to enter its credentials. When authenticated, the user is redirected to our application and has access to it.
The problem here, is that all users from the external provider can access our applications.
We know that the external provider administrators have somewhat limited access so that only a set of user is allowed access to our application. However, we don’t know how Keycloak is supposed to check whether an authenticated user on the external provider is allowed to be imported in our Keycloak realm.
We are really confused with that and we would like to have some guidance so that we know if we have to configure something special in Keycloak or if we have to add some specific checks at the application level.
Thanks for your help!