Is RelayState essential for SAML Identity Brokering

Please, bear with me. I have extracted all the elements from response for somebody with expertise to compare.

I can’t get Keycloak Identity Broker (kcloak-ext: bad) to accept response from external SAML IDP.
At the same another identical setup (kcloak-oos: good) with third instance of Keycloak as SAML IDP works fine and I can authenticate.

What I can only find is empty RelayState POST parameter, from external SAML IDP. Is it enough for the flow to fail?


Here are the HTTP POST: 400 (invalid request) items from failed flow, kcloak-ext instance:
Cookies:

AUTH_SESSION_ID=63420834-cfb2-4caa-987b-798917fa5fcb.keycloak-0
KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4ZTVmYTBmNS00YTNhLTRlMzAtODAxNi1iMTdkMDE5NTRiOGYifQ.eyJjaWQiOiJhY2NvdW50IiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cHM6Ly9rY2xvYWstZXh0LmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2tjbG9hay1leHQuYW8taW50ZXJuYWwuaW5mcmEtaG9zdC5jb20vYXV0aC9yZWFsbXMvZXh0LWJyb2tlciIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9rY2xvYWstZXh0LmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwic3RhdGUiOiIwLzE0YTA1ZTQ4LTE4ZDgtNGViMC04ZDQ2LWZmYmZlODI4MzQ1NSJ9fQ.-XcG3WZ9q5bkSr0DjH6hsrDFZx6Nq9RzVPbIdfb7J5w

Post Data:

"postData": {
  "RelayState": [
    ""
  ],
  "SAMLResponse": [
    "(omitted)"
  ]
}

Saml response:

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

Keycloak Log:

WARN  [org.keycloak.events] (default task-25) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=ext-broker, clientId=null, userId=null, ipAddress=10.0.3.101, error=invalidRequestMessage

And here are the HTTP POST: 302 (Found) items from positive flow, kcloak-oos instance:
Cookies:

AUTH_SESSION_ID=052550d6-a765-434f-a425-e96e13121e8b.keycloak-0;
KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhM2Y5MmI5Mi1iMmFjLTQyNDAtYjkyZC05ZmJiOTI1ZmJiOGQifQ.eyJjaWQiOiJhY2NvdW50IiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cHM6Ly9rY2xvYWstb29zLmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2tjbG9hay1vb3MuYW8taW50ZXJuYWwuaW5mcmEtaG9zdC5jb20vYXV0aC9yZWFsbXMvZXh0LWJyb2tlciIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9rY2xvYWstb29zLmFvLWludGVybmFsLmluZnJhLWhvc3QuY29tL2F1dGgvcmVhbG1zL2V4dC1icm9rZXIvYWNjb3VudC9sb2dpbi1yZWRpcmVjdD9wYXRoPXNlc3Npb25zIiwic3RhdGUiOiIwLzI2NmViZjBiLTc1NjEtNDQwNi1hNDM0LWMyOWVlYjZjYWZiOCJ9fQ.oZ9z9qtxfFXFFIc4B3CcH__x3_iYRLL9qjyG6m2bG0w

Post Data:

"postData": {
  "RelayState": [
    "ybHVQFfwzj2zcUFXo2bLEPW69KIHy6JnlnNPPUnzalU.CM9nKCnATKY.account"
  ],
  "SAMLResponse": [
    "(omitted)"
  ]
}

Saml Response:

<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

It seems YES. Missing RelayState is enough to break the authentication on the broker.

It results in an error: code, clientId or tabId was null - IDENTITY_PROVIDER_LOGIN_ERROR.

I have done verification with hand-crafted reverse proxy, that discarded RelayState (set it to blank string).