I didn't follow the entire flow but I assume the CP comes into play *after* successful login.
For the record, my custom ValidateUser looks like:
METHOD PUBLIC LOGICAL ValidateUser(credentials AS IUserCredentials):
DEFINE VARIABLE authenticator AS KeycloakAuthenticator NO-UNDO.
DEFINE VARIABLE response AS AuthenticationReponse NO-UNDO.
DEFINE VARIABLE username AS CHARACTER NO-UNDO.
authenticator = NEW KeycloakAuthenticator().
response = authenticator:DirectGrantLogin(credentials:UserName, credentials:Password).
username = response:JWT:GetClaim('exspect_username').
// SessionManager:UserName = username. would be nice
RETURN response:Authenticated.
END METHOD.
code is not complete yet, but the username variable has application's username, credentials the AD username. Now, since ValidateUser just returns true (or false) I don't quite know what to do with username (i.e. the application username).