Narrative

Some customers operate Keycloak purely as an identity broker and therefore want to forbid local (realm) credentials entirely.
Today, the Browser flow always exposes the Username/Password form (unless apps push kc_idp_hint, or a custom theme/flow hides it), which confuses users and weakens some customers policy where users may try to log in locally while their policy mandates an authentication through IdP 2FA only. The existing behavior may also break the desired journeys for the Organizations feature where users should only select an organization IdP (or be auto-redirected to it if already linked).

Value Proposition

• Enable and Enforce IdP-only as as first-class login experience for users.
• Security hardening: Removes local password surface; guarantees 2FA/MFA-backed SSO policies at upstream IdPs.
• Cleaner, compliant broker-only journey for workforce and B2B/B2C organizations.

Goals

• login screen shows IdP choices only (e.g., Azure AD for workforce, 'ItsMe' for externals), with no local username/password prompt anywhere in the flow.

• No local credentials across UIs:
  -> Account Console: remove/disable Password, WebAuthn (as local), OTP as local configuration when IdP-only is enforced (unless explicitly allowed by admin, say via exception policy).
  -> Admin Console: guardrails to prevent creating or resetting local passwords for users when the policy forbids it (with override only for admin break-glass, if configured).

• Backward compatibility:
  -> Default behavior unchanged until IdP-only is enabled.
  -> Works with existing themes (sane fallback) and honors IdP display hints/order.

Non-Goals

• No forced client participation: feature must not require apps to pass kc_idp_hint or additional query params.
• No change to non-browser grants (client credentials, service accounts) or Admin REST auth. This proposal targets end-user browser SSO only.