AzureAD Saml SSO -> Keyclock Broker -> openid client | questions


Using AzureAD SAML sso as IDP.
Keyclock has a SAML2.0 IDP configured as a broker, used to logging in into a public openid keyclock client. end result is a JWT token in the frontend application.

SP initiated login (e.g from keyclock login screen) works fine, including mapping of SAML attributes etc.
IDP initiated login (e.g from Azure to keycloak) fails with an invalid request.
Now, I will be happy to share all details as needed, but I would just wanna make sure that what I am trying to accomplish here makes sense in keycloak and that it’s likely just a misconfiguration on my part? (if so, i will collect and share all settings), because I read somewhere an SO post which made me question whether it’s even possible.

Another question I have is, I am looking for a simple way in our frontend app (JWT) to tell whether the user logged in with a standard username/password, or through the SSO mentioned above (SP initiated), what is a reliable way to determine that? I was thinking of adding a mapper in the IDP that says “ssoLogin true” or something, but hardcoded attributes doesn’t seem to be passing along, what do you recommend?