IDP initiated SSO with Keycloak as SP

Currently our setup on Keycloak involves an oidc client and various SAML identity providers. We setup these identity providers to work with various customers IDPs. And as far as service provider(keycloak) initiated SSO, this works perfectly.

However, this does not work with IDP initiated SSO. This is an issue for Okta mainly as a bunch of our customers use Okta. Going through the logs, all I get is a generic null pointer error from keycloak saml code when trying IDP initiated SSO, it doesn’t give me a whole lot to go on.

Reading more here, this seems to suggest that I have to use a SAML client to get IDP initiated SSO working.

Why does SP initiated login work with my setup without a saml client, but IDP initiated SSO does not? Is there a way to do this without a SAML client? We are going to have a high number of SSO integrations, so if possible, I would like to only be creating an IDP configuration for each one and not a new client every time.

My best guess is here that it wants me to provider a relay state. What would a valid relay state url be? Is that just the web app url? Would this be a keycloak url?