Hello,

I am new to KeyCloak and want opinion if the following flow is possible with KeyCloak?

KeyCloak Client (OIDC) → KeyCloak IAM (SAML) <-> Customer IDP

Basically, all internal apps will always interface with KeyCloak IAM(via Keycloak client adapter) using OIDC, but the customer may want to use SAML protocol for Federation.
So, the expectation is that client will always trigger the OIDC Flow to KeyCloak IAM, but KeyCloak should trigger the SAML flow with the IDP. Once the user is logged in at their IDP and directed back to KeyCloak with valid SAML response, KeyCloak should resume the OIDC flow and return the token back to Keycloak client.

Any help in this regard appreciated.

Yes, that is possible, it is all in the docs:

https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker
https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers

What will not work: Automatic integration of identity providers described in a standard SAML federation metadata file. Everything has to be configured manually.

|matthias