closed #45846

when keycloak user is created by saml
it's created in kc as readonly

we want to wrap this with a new flag
in identity provider -> saml settings section
that a new toggle there, disabled by default

when toggle is off/false
the keycloak user created by saml
will be readonly as it is today

when toggle is on/true
the keycloak user created by saml
will be not readonly

This pull request introduces a new option to make users created via SAML identity providers editable, even if they would otherwise be treated as read-only due to organization management policies. This includes UI changes for configuration, backend support for the new attribute, and updates to the logic that determines a user's editability.

SAML Identity Provider Enhancements:

• Added a new configuration option (createdUsersEditable) to SAMLIdentityProviderConfig that allows users created via SAML to be editable in Keycloak. [1] [2]
• Updated SAMLIdentityProvider to set a special user attribute when the new option is enabled, ensuring these users are not marked as read-only.

User Editability Logic:

• Updated the logic in UserStorageManager and Organizations utility to check for the new user attribute (kc.org.managed.member.editable) before marking a user as read-only, allowing exceptions for users created with the new SAML option. [1] [2]
• Defined the new attribute constant in OrganizationModel for consistent usage.

Admin UI Improvements:

• Added a toggle in the SAML identity provider settings UI to enable or disable the new "Make users created by this provider editable" option, with help text.
• Added corresponding labels and help text to the English messages file for the new setting.