IdP Initiated Login: support redirect to an URL provided by an external IdP

Hey everyone,

I am looking for community support in the following scenario:

I have Keycloak 18 protecting access to several services, and users normally use Keycloak’s login form.

At the moment, I have a request for integration with an external identity provider.

Some inputs:

  • IdP is hosted under idp-com

  • Keycloak is hosted under sso-com

  • One of my apps is hosted under myapp-com

  • IdP users exist in Keycloak

My goal: The user should be able to click a URL under idp-com/... and become automatically authenticated at Keycloak and then be redirected to a custom URL within myapp-com.

I do not need to create or update Keycloak’s users, just verify the IdP’s user email is found.

Let’s imagine the URL may look like https : //idp-com/saml/ssoservice?spentityid=https : //sso-com/realms/realm-name&redirectTo=https : //myapp-com/page1/page2

What I’ve done so far:

  • Created a new simplified authentication flow containing two executions:

    • Detect existing broker user

    • Automatically set existing user

  • Run external IdP service (simplesamlphp)

  • Created a new external identity provider in Keycloak by importing the metadata from simplesamlphp

  • Created a new SAML client in Keycloak with the following settings:

    • Valid Redirect URIs: https : //myapp-com/

    • IDP Initiated SSO URL Name: my-saml-client

    • Assertion Consumer Service Redirect Binding URL: https : //myapp-com/

  • Updated simplesamlphp settings:

    • SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: https : //sso-com/realms/realm-name/broker/my-saml-idp/endpoint/clients/my-saml-client

My current results:

After I enter the initial URL https : //idp-com/saml/ssoservice?spentityid=https : //sso-com/realms/realm-name&redirectTo=https : //myapp-com/page1/page2, I am asked to enter user credentials at IdP, then I get automatically authenticated at Keycloak, and redirected to https : //myapp-com/?SAMLResponse=......

I can’t find any way to force Keycloak to use the RelayState param in my initial URL so that a user is redirected to https : //myapp-com/page1/page2.

In the Keycloak’s codebase, I found a getRedirectTo() function with the following annotation:

Gets a URL to redirect to if there is an IDP initiated login. Looks for a redirectTo query param first, then looks in RelayState, if not in either defaults to context path.

Unfortunately, I cannot find a way to specify the redirectTo param and if it works for my scenario at all.

Please suggest.

Thanks in advance.