Hello,
I’d like to configure IDP-initiated flow using Keycloak and Azure with SAML but couldn’t get it working correctly. I had “invalid destination” errors in Keycloak logs.
Does someone knows exactly how to configure it on both Keycloak and Azure?
Thanks!
I don’t know Azure specifically, but I’ve linked a few things on this topic before
Post what you are trying and we can help you debug.
So I have on realm, configured a SAML identity provider (coming from Microsoft Azure AD):
I then configured a client to enable IDP initiated login (as mentioned in this linked article: https://www.lisenet.com/2020/keycloak-with-okta-idp-initiated-sso-login/):
Image in next reply since I cant post multiple in one.
And this is the configuration in Azure:
Image in next reply since I cant post multiple in one.
When I try to test to log in from Azure, I’m getting these logs:
2024-04-02 12:14:28,602 WARN [org.keycloak.events] (executor-thread-18) type="IDENTITY_PROVIDER_LOGIN_ERROR", realmId="xxxxxxxxx", clientId="null", userId="null", ipAddress="xxxxxxxxxxx", error="invalidRequestMessage"
2024-04-02 12:14:28,603 ERROR [org.keycloak.services.resources.IdentityBrokerService] (executor-thread-18) invalidRequestMessage
I’ve tried different values for ACS on both sides (Azure and keycloak) but without success, last week I was getting a “invalid destination” error in the log but can’t reproduce it for now.
This is the ACS url I have both on Azure and the newly created Keycloak saml client:
https://dev-corxxxx.com/auth/realms/xxxxxxxx/broker/saml/endpoint
I’m pretty sure it is just a misconfiguration somewhere but can’t find it.
Thanks for your help!
This video by @dasniko shows how to connect Azure AD and Keycloak. Maybe you will find the missing bits there: https://www.youtube.com/watch?v=LYF-NLHD2uQ
Thanks for your answer but the video is about oidc (I want saml) and not idp initiated flow (user coming from azure and not from the sp to login).