Keycloak as SAML sp - login loop on failure


I’m using keycloak as an SP to ADFS. Things work well until we encounter a failure response from ADFS like the following:

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />

In these cases (the nameid error is just an example, there are other statuses that cause this), keycloak redirects to the idp, receives the same error to the assertion consumer, and loops until stopped. I’ve looked through the docs, but it’s not clear to me where error responses can be handled. I’d like to display a simple failure page rather than redirect to the IDP again. Can anybody shed some light on this for me?


To follow up on my own post, the above behavior was due to having a default IDP. On receipt of the SAMLResponse, the IdentityBrokerService would detect the error and attempt to show the login screen. Since there’s a default IDP set, a redirect to the IDP would occur. This repeats until you stop the browser. Seems that there ought to be some error detection here to stop repeated redirects,

Removing the default IDP stops the loop, but leaves the user at the Keycloak Log In page with no indication that an error has occurred. Is there any way to display an error message to the user on this page?


@cdouthart I’m facing same issue, did you find any solution?