Google IDP initiated login is failing due to empty RelayState

We have Google SAML SSO login (IDP) in our Spring boot application (SP) with Keycloak as IDP broker. The SP initated login (SpringApp -> keycloak -> GoogleSSO -> keycloak -> Spring) works fine. However, if I login to my google account and click my saml application tile from the google app menu, the SSO fails at ACS endpoint with the below error.

Below error is logged inside keycloak server logs.

ERROR [] (default task-424) invalidRequestMessage

WARN [] (default task-424) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=****-realm, clientId=null, userId=null, ipAddress=x.x.x.x, error=invalidRequestMessage

Keycloak Identity Provider Configuration

  • Created new SAML v2.0 Identity provider from Identity providers menu.
  • Redirect URI : https://{keycloak-root}/auth/realms/{realm-name}/broker/{alias}/endpoint
  • First Login Flow: first broker login
  • Service Provider Entity ID: https://{keycloak-root}/auth/realms/{realm-name}
  • Single Sign-On Service URL: {google idp sso url}

Keycloak Client Configuration:

  • Created a new keycloak client for sso.
  • Client Protocol: SAML
  • Signature Algorithm: RSA_SHA_256
  • Name ID Format: Username
  • Valid Redirect URIs: {spring-boot-app-url} after successful authentication from google and keycloak

Google SAML App Configuration:

  • Entity ID: https://{keycloak-root}/auth/realms/{realm-name}
  • ACS URL: https://{keycloak-root}/auth/realms/{realm-name}/broker/{alias}/endpoint

We compared the saml request of both SP and IDP login. In IDP login, on successful redirection from google to keycloak ACS url, we found the RelayState parameter is empty. But in SP login, same RelayState parameter has a string value present.

We could set a default value for RelayState using the Start URL field inside Google SAML app. But the problem is keycloak generates this value dynamically that changes on every login request.

Please suggest if any configuration changes has to be made to make idp initiated login work.