In step 6 of "Add an Identity Provider", you specify "Allow Create": "off" and specify the "Detect and Set Existing User" flow you created earlier in the process. The trick here is to basically undo those changes, setting "Allow Create": "on", and change the flow to "First broker login".
Attempt to login again.
Keycloak will probably present you with a form for creating a new user since one couldn't be found. The form will be prepopulated with the Subject's NameID. Copy this for later use.
Repeat step 6 of "Add an Identity Provider" to turn Allow Create off and specify your Detect and Set Existing User flow.
Now when you login, if you inspect the SAML response, you should see the assertions and the Subject's NameID.

Open Questions

TBD
Is there a way for Folio admins (who don't have access to Keycloak Administrative Console) to see some basic info? e.g. IdP Mappers - which SAML attr maps to which Folio user field

Versions Compared