IDENTITY_PROVIDER_LOGIN_ERROR invalid_code on 2 minute IdP login

I have set up Keycloak Identity Providers for 2 clients. Both are Azure AD, though slightly different setups.

For each the login flow works perfectly except…

…if the login takes a little bit of time, the user is taken to https://(>/auth/realms//broker//endpoint which displays “An error occurred, please click here to login again.”

Each time I click AD login button and wait for 2 minutes or more, that page is displayed.

The keycloak server includes the log:
13/08/2020 2:03:40 pm 04:03:40,421 WARN [] (default task-297) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=a5ad09fb-04bc-4b8f-b328-51eabe76c750, clientId=null, userId=null, ipAddress=, error=invalid_code

If I ‘click here’ and go through the IdP saml login flow without pause, I then get taken to the login page (https://(>/auth/realms//login-actions/authenticate…) which displays “The login page has expired. Please click here to try again.”

If I then ‘click here’ and go through the IdP saml login flow again without pause, I am logged into the app.

Is there any way (configuration?) that I can allow a bit more time for the idp login flow to complete?

I was thinking it might be related to the realm token times, but my adjustments so far aren’t changing the behaviour.

For now (to give largish values) I’ve set “Client login timeout”, “Login timeout”, “Login action timeout”, “User-Initiated Action Lifespan” all set to 15 mins.

Any help is greatly appreciated.