We have a flow where user login to citrix netscaler with username and password and then redirect to keycloak to force the user for FIDO2 authentication (YubiKey Bio). Citrix Netscaler is connected to Keycloak by SAML. All works fine so far. But we have a policy that defines, the user should not be able to register the YubiKey himself. Instead, he/she should be forced to go to a specific apartment where the Yubikey will be setup and registered to the user account. For this to work, I have to disable User registration in the normal flow but somehow to have a specific page, where the registration can be done.
Is it possible to have this separated somehow?
I checked already the admin console, but there I can only set a password for the user, not any FIDO2 devices.
Can you give me some advises?