IDP initiated sso + SP initiated SSO from external IDP should work together with the same relam

Hello @all, I am using keycloak as broker identity. I implemented 2 clients, 1 is openid-connect and another is using saml protocaol.
On client’s end he has to append /clients/client_name in ACS url while configuring IDP initiated sso.
but I want IDP initiated sso flow should work with SP initiated sso from the same app. But ACS url assertion is failing on idp`s end.

Invalid request, ACS Url in request doesn't match configured ACS Url

Is this the standard that separate apps for SP initiated as well as IDP initiated sso, if not then how to implement that both should work with the same app.

Hi @nkkumawat, wondering if your workflow matches the following:

  1. Login to my identity provider (like ping, okta, Azure AD etc)
  2. Click on the app that my admin has created
  3. Clicking on the app should SSO the user to keycloak (where I have created an Identity Provider and a client)

If so, were you able to get this to work?

Hi, have you had any luck with setting up SAML IDP initiated login? I’ve tried to follow this article Keycloak with Okta IDP Initiated SSO Login | :: Linux | Security | Networking but still can’t make it work properly.
As far as I understand, to make IDP initiated flow working we need to have one more “proxy” SAML client that forwards assertion to IDP broker in Keycloak that is integrated with 3rd party IDP (I use Okta). On other side Okta should target its SAML assertion to that SAML “proxy” client.
Finally I see SAML “handshake” is happening and Keycloak displays message “You are already logged in” and no redirect happens like in SP initiated flow.
Looks like some small piece is missing somewhere in configuration that will allow to redirect user to proper destination. Setting RelayState in “proxy” client settings does not help to redirect.
I’d appreciate any help. Thanks.