Keycloak: Invitation to link an IdP account with a broker account

Question

We have a Keycloak broker and 2 external identity providers. An administrator should be able to invite new users. At this point, the administrator already defines the roles of the user to be invited.

We thought it would be best if the user could select its IdP account after clicking the link in the invitation email. This should then be securely linked to the broker account to enable login to the invited service.

I am currently familiarizing myself with the documentation on Keycloak Action Tokens and First Login Flow, but have not yet found any documentation on how to implement such a flow securely.

Can anyone give me a brief description or recommend good documentation on how best to proceed here? Are there perhaps better concepts/flows for implementing this? Am I already on the right track? I am grateful for any advice.