IDP initiated flow with Azure SAML

I’d like to configure IDP-initiated flow using Keycloak and Azure with SAML but couldn’t get it working correctly. I had “invalid destination” errors in Keycloak logs.
Does someone knows exactly how to configure it on both Keycloak and Azure?

I don’t know Azure specifically, but I’ve linked a few things on this topic before

Post what you are trying and we can help you debug.

So I have on realm, configured a SAML identity provider (coming from Microsoft Azure AD):

I then configured a client to enable IDP initiated login (as mentioned in this linked article:
Image in next reply since I cant post multiple in one.

And this is the configuration in Azure:
Image in next reply since I cant post multiple in one.

When I try to test to log in from Azure, I’m getting these logs:

2024-04-02 12:14:28,602 WARN  [] (executor-thread-18) type="IDENTITY_PROVIDER_LOGIN_ERROR", realmId="xxxxxxxxx", clientId="null", userId="null", ipAddress="xxxxxxxxxxx", error="invalidRequestMessage"
2024-04-02 12:14:28,603 ERROR [] (executor-thread-18) invalidRequestMessage

I’ve tried different values for ACS on both sides (Azure and keycloak) but without success, last week I was getting a “invalid destination” error in the log but can’t reproduce it for now.
This is the ACS url I have both on Azure and the newly created Keycloak saml client:

I’m pretty sure it is just a misconfiguration somewhere but can’t find it.
Thanks for your help!

This video by @dasniko shows how to connect Azure AD and Keycloak. Maybe you will find the missing bits there:

1 Like

Thanks for your answer but the video is about oidc (I want saml) and not idp initiated flow (user coming from azure and not from the sp to login).