Foreman sync Users so they have not to login in themself first time

Problem: User has to login one to be able to be using Kerberos SSO

Expected outcome: User visits page and Account is created directly

Foreman and Proxy versions: 1.18

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]

Is there possible Way to Sync users directly so they do not have to login directly or by using sssd ?

We do have an option for LDAP on the fly user creation which might be what you’re looking for:

https://theforeman.org/manuals/1.18/index.html#4.1.1LDAPAuthentication

We activated that but it only works when the user has logged in themself minimum onetime via their AD stored password, but we wan’t to built a little Self Service around it for our Helpdesk but not all know their AD Password due to Two Factor Authentication.

Which by my unterstanding means that they have to login one time so foreman can grab their hash out of LDAP and proof against it, and trusting apache with his keytab that the User reported by the Browser is mapped to the User stored in the DB linked to LDAP makes then the SSO

Yeah I think there is the solution, using sssd to gather that informationen and setting another option
https://theforeman.org/manuals/1.18/index.html#5.7.5Populateusersandattributes