Keycloak as SP and Saml SSO integration

We are using KeyCloak (23.0.1) for auth, but we are still new to it.

We have a customer who uses saml SSO. We’ve done the standard metadata exchange, and think (thought?) we have everything configured correctly. When we attempt to go through the saml-sso log in flow:

  1. The login with the IdP is successful but upon returning to us, the UI responds with “Unexpected error when authenticating with identity provider”.

  2. we’ve set our logging level to DEBUG, and no "ERROR"s or "WARN"s appear in the logs.

  3. We have the event logging turned on, but no attempts at saml logins are recorded (other flows are listed).

  4. Under “Authentication → Flows” we are using the default “first broker login”. This has worked for us in the past with google.

  5. we have created mappers to map the incoming users to the right role.

The only thing the logs show like an error is: “insert into EVENT_ENTITY (CLIENT_ID,DETAILS_JSON,ERROR,IP_ADDRESS,REALM_ID,SESSION_ID,EVENT_TIME,TYPE,USER_ID,ID) values (?,?,?,?,?,?,?,?,?,?)”

We are sort of running out of rocks to look under. Where should we keep looking to try to track this error down? Any advice would be appreciated…

Keycloak gives mostly unhelpful errors when trying to debug a connection to an IdP. Have you tried looking at the actual SAML that is coming across? I’ve found using the SAML-tracer chrome extension to be invaluable to provide clues to what is going on.