Keycloak Identity Provider – Avoid Creating Local Users

andreizzu · July 23, 2025, 7:24am

Hello everyone,

I have a Keycloak deployment where I’ve configured an external Identity Provider (IdP) for authentication. I’m trying to achieve the following flow:

A user logs in via the external IdP
An IdP mapper is used to assign appropriate roles
The user is not created or stored locally in the Keycloak user database

Is there a supported way to prevent Keycloak from creating a local user entry when authenticating through the IdP? Ideally, I’d like to rely entirely on the IdP for user identity and avoid any local persistence.

Any guidance or best practices would be greatly appreciated!

Many thanks!

dasniko · July 23, 2025, 8:26am

No, there isn’t. Keycloak needs a local instance for being able to work properly.

andreizzu · July 23, 2025, 9:56am

Thank you for the response.

lme · July 24, 2025, 7:37am

Couldn’t this be managed with transient users?

dasniko · July 24, 2025, 10:15am

The transient users feature is experimental, not supported and subject to be removed again in future.

bernhof · July 29, 2025, 7:32pm

I’ve seen others solve this by automating a recurring task that deletes users that have no active sessions.

dasniko · July 29, 2025, 7:38pm

See Issue #39888 for the future behaviour

Topic		Replies	Views
Identity Brokering without local accounts Configuring the server	2	1011	January 28, 2022
Keycloak as identity broker only without managing users Configuring the server identity-brokering	4	786	May 16, 2024
Mapping of local keyloak user to external userId via identity broker - custom process	5	1688	January 5, 2022
Disable user creation on Keycloak Getting advice admin-console , authentication , database , identity-brokering	0	1079	June 20, 2023
Use Keycloak as third-party handler, without concrete users?	0	352	September 3, 2021

Keycloak Identity Provider – Avoid Creating Local Users

Related topics