"invalid Federated Identity Action Message" while connecting with SAML based IdP

Hi Folks,

My Problem statement is as below.

I am trying to connect the Microsoft ADFS - an external SAML based Identity Provider with Keycloak for Identity Brokering. I created a SAML Identity Provider for ADFS from my Keycloak Service Provider and configured all the SSO endpoints.

When I am trying to login that realm with the credentials using the IdP at that time I redirected to the IdP Login Page and authenticated by IdP and redirected back to the Keycloak Page which shows me that

We’re sorry… invalidFederatedIdentityActionMessage

I checked all the XML Documents exchanged in between using the SAML Tracer and decrypted the SAML which contains status success as below.

    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>

or sometimes

       <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
    </samlp:Status>

Solutions I already tried but not worked are -

  1. Turn on/off Validating Signatures (X509 Certificates)
  2. X-Forwarded-Proto: http" instead of "X-Forwarded-Proto: https
  3. PROXY_ADDRESS_FORWARDING=true in ENV variable

I have one doubt about set-up multiple endpoints for clients. ( I am not sure this might solve issue or not )

I have only one endpoint available which is

  1. OpenID Endpoint Configuration.

Where as in other places I found multiple endpoints one as

  1. OpenID Endpoint Configuration
  2. SAML 2.0 Identity Provider Metadata

So can someone please guide me the solution for this issue.

Thanks in advance.

@malakparikh did you ever figure this out?

No. I tried to do it but I cannot till now.

Are you using a self-signed cert for SAML from your IDP? That is my issue. I think X.509 Certifications are out of sync.

I go through the synchronization of X509 Certificates, It was in sync, Even though I didn’t get the correct results.

did you try generating a new one?