Really sad that it is still an open issue. In researching I found some references to this, and some workarounds, but nothing that seemed to work for the use case I have in mind. I think I've come up with a close approximation. I have Keycloak configured as an Oauth2 provider. Keycloak is configured to make the users authenticate with a digital certificate/smartcard. If they are pre-onboarded in Keycloak, then they successfully authenticate with their email and land at the Moodle website - with their user account automatically created with their email. Last step is for the admin to approve their Moodle account before they continue. The few weak points are the Moodle sign on page userid/password blanks that are useless in this use case, and the "are you new here" text that is also unwanted. I found a few references in the forum to hiding/masking these so I won't have rogue users trying to create themselves. I also am adding some email domain restrictions for users, and will change the text on the "you've been emailed to confirm your access" page so it just provides info and doesn't lead the user to thinking they'll be contacted. I am NOT going to email enable the platform in this scenario. So, potential workarounds for now.