I am setting up IDP initiated authentication from ServiceA to my application using Keycloak. So far, I provided all necessary configurations required by ServiceA and I’ve also configured SAML Identity Provider on the Keycloak and configured it with the appropriate configuration values received from ServiceA.
The Issue: When I click on the application icon on the ServiceA portal, the flow initiates as expected. I receive SAML response with status Success, Destination attribute URL value matches Assertion Consumer service endpoint value configured on ServiceA, Audience is OK as well, but after being redirected to the Keycloak, I encounter an error saying:
We are sorry... Cookie not found. Please make sure cookies are enabled in your browser.
Here is the message from the Keycloak logs: type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=XX.XXX.XXX.XXX, error=cookie_not_found
And this is what Devtools in Firefox says: Cookie “KC_STATE_CHECKER” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None” attribute to it.
Keycloak version: 22.0.1 In this version there is no option to do any configuration related to the cookies (at least from UI and REST API point of view).
Questions:
- Why does Keycloak struggles to find KC_STATE_CHECKER cookie in this flow?
- Can I somehow ensure that SameSite=None attribute is properly added to Keycloak cookies?
- Are there some additional configurations that need to be done on Keycloak or on ServiceA?
Thank you for your answers.