I need some brainstorming here, because I think that maybe I'm misunderstanding the whole SAML Federation point.
Some details about the context:
The federation is working fine - IdP users are correctly logged in and mapped to an existing, or just created, Data Store user. When a remote user is created on the Data Store, OpenAM assigns a random password that the user doesn't know, so the remote users can only login via the IdP.
Now, all users, including the remote ones, can access the console and set their own password. To prevent this, I set userPassword as a protected attribute, so if users don't know their current password they can't change it.
However I have noticed that users can request a Password Reset for accounts provisioned via the federation mechanism - this means that they can change the password for their account, and then login via the local login mechanism.
Am I missing something? Is this behavior expected when authenticating remote users? How do I set up everything in a way that allows me to keep local users separated from the remote ones?
I think I solved this. I have modified the Organization Auth Configuration to use a new chain containing a LDAP module instead of the default ldapService that uses the DataStore module. I am able to distinguish between federated and local users by checking for a specific attribute on the LDAP store, so I modified the LDAP module to apply a User Search Filter excluding the federated users and now they no longer can authenticate locally using the recovery password workaround.