(or, obviously, just release appropriate attributes, if that's the issue, through the extremely flexible attribute filter, at which point the SP (should) reject access: https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631865/AttributeFilter I'm not sure why you could not achieve either of these with Keycloak, but there they are.)