Is IDP initiated flow broken?

Hello everyone, I’m using keycloak as a SAML Service provider and Layer7 SiteMinder as a SAML Identity provider.

The classic SP Initiated SAML Flow is working without any issue but I have a use case when I need to use an IDP initiated flow.

When Is use this flow keycloak gice me the following error:

We are sorry…
Login timeout. Please log in again.

on the server log I go the following errors messages:

2020-05-08 10:08:07,426 INFO  [org.keycloak.saml.validators.ConditionsValidator] (default task-1) Assertion _e5d8deee188bdbe6e443259de73340780119 is not addressed to this SP.
2020-05-08 10:08:07,428 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-1) Assertion expired.

So for my point of view, because on the IDP initiated flow, the IDP don’t consume a SAML Authentication Request and generate a SAML Response without the InResponseTo=“ID_****” value containing the ID of the transaction Keycloak sent into the SAML Authentication Request.

Are they a way to ask Keycloak to bypass this verification?

Hello @tube, I’m facing the same error when doing IDP initiated sso from Azure AD. Did you find out the root cause yet?

We are facing same issue with Azure AD. @akashsolanki did you find any solution ?