Guess I'll close this blog reference.
Ended up creating 2 customized pages for logins ... 1 for the admins of Moodle, and the oher for the IDM users.
#1 works. Still can't test #2 as the IDM system (keycloak) is as the developer phrased it ... 'add-hoc' ... e.g. not up all the time.
Seems we have a little disagreement as to what test needs to be performed when it comes to Moodle. IF I re-call correctly, if, when using the IDM and a user can authenticate via that system, moodle detects that the account already exist as a 'manual' account, user is prompted to 'merge' (think that's what the docs said) the accounts. Thus existing user ID in mdl_user table stays the same and only relate authentication fields change in mdl_user. Do know this, if users are given an option, they sometimes choose in-correctly - especially if not forewarned/educated to the correct choice (last I heard, Google Classroom, prompts the user to choose if they are teacher or a student and a wrong choice there begets un-desirable results). IF the information screen for Moodle offers a choice and user chooses in-correctly, wanted to see what happens to the backend tables related. Seems to me the only fix would be direct manipulation of the DB.
Two other things .... entity is 'expecting' (or has been promised by consultant for IDM) single sign on where the users login to workstation and they won't have to provide credentials to Moodle to access. Kinda interesting as many accounts are not from the corps wide area private network, but from other corps.
Moodle does have task to clean up stale sessions.
And, the consultant dropped a line that might prove to be interesting ... 'directive to put all behind cloudflare'. The 'proof of concept' Moodle (a clone of their production server with different FQDN) is hosted on RackSpace and RS does have a 'partnership' with ClouldFlare. That's all done via DNS from what I read. It's still a factor from time to time ... even Moodle.org access begets that 'Oops! Something is wrong with the Internet'.
That affects direct access ... which, in that case would have to be by IP address .... and there is, of course, the moodle config ... this URL only.
Since it's linux I could still access via ssh to do updates/upgrades via git but might not be able to check if other plugins needed updating/upgrading if 'the internet' is 'down'. OK, don't do updates or upgrades if that's true then. Fine by me!
Anyhoo ... that's all for this blog! ;)
'spirit of sharing', Ken