Keycloak as SP for SAML IDP

I am trying to configure Keycloak as SAML service provider for an external Identity Provider with IDP initiated login flow. At the moment I am testing with but requirement is to support other providers like Microsoft AD, Okta and others.
I have configured as SAML IDP in the Keycloak (I use version 8.0) and imported metadata during configuration of the IDP. I also exported my Keycloak metadata into a file and imported it into a
Attempt to initiate login from side results in “Invalid request” error page and in the logs I get
12:22:40,036 WARN [] (default task-43) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=Dubber, clientId=null, userId=null, ipAddress=, error=invalidRequestMessage 12:22:40,036 ERROR [] (default task-43) invalidRequestMessage
First issue that I am facing is that it is not clear if I need to install SAML adapters for Keycloak. Do I need to do it?
Second is do I need to configure any mappers for my IDP?
And finally do I need to configure any Keycloak client in my scenario?

Thanks a lot in advance.

Hi, I meet the same issue. when I use an external Identify Provide with SAML 2.0. I cannot solve this issue…I am looking into the source-code of keycloak. Have you solved this issue?
My Error Message:
03:52:39,837 DEBUG [] (default task-3) Invalid request. Authorization code, clientId or tabId was null. Code=, clientId=null, tabID=null
03:52:39,837 WARN [] (default task-3) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=X.X.X.X, error=invalidRequestMessage

No, I haven’t found a solution via Keycloak yet, for the moment I implemented my own SAML receiving application and going to use my app as external IDP for Keycloak.


Thanks for your information.

There is specific configuration to configure keycloak for SAML IDP initiated flow., application that you are integrating with keycloak needs to be configured as SAML SP (not the regular Oidc / Oauth flow).


Thanks Vijay, appreciate your help!

Hello @vijay, I’m facing the same issue reported by @adob. I’m trying to configure Okta as IdP for Keycloak.

When login starts from Keycloak (we can call it “SP initiated”) it works fine, but when I start from Okta (IdP initiated) it doesn’t works and I see this error in logs:

08:19:56,497 DEBUG [org.keycloak.saml.common] (default task-229) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2020-06-04T08:19:56.497Z
08:19:56,497 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-229) Evaluating Conditions of Assertion id37421891469951621571969445. notBefore=2020-06-04T08:14:56.167Z, notOnOrAfter=2020-06-04T08:24:56.167Z, updatedNotBefore: 2020-06-04T08:12:56.167Z, updatedOnOrAfter=2020-06-04T08:26:56.167Z, now: 2020-06-04T08:19:56.497Z
08:19:56,498 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-229) Assertion id37421891469951621571969445 validity is VALID
08:19:56,498 WARN  [] (default task-229) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=[my_realmId], clientId=null, userId=null, ipAddress=[my_ip], error=invalidRequestMessage
08:19:56,498 ERROR [] (default task-229) invalidRequestMessage

You was mentioning specific config for IDP initiated:

There is specific configuration to configure keycloak for SAML IDP initiated flow. , application that you are integrating with keycloak needs to be configured as SAML SP (not the regular Oidc / Oauth flow).

But this is related to clients and not for Identity Providers. I wasn’t able to find documentation about using an external IdP with IdP initiated login flow.

Any suggestion on how configure it for accept inbound login flow?

1 Like

I am new to Keycloak and getting the same error while doing idp initiated sso from Okta. What I can guess is Keycloak needs some data in relay state parameter but In IDP initiated SSO its not coming. I am not sure if below link can help us

I’m facing same issue, were you able to resolve this issue?

Hello @arunvuyala, no I’ve not solved. My conclusion was that IdP initiated login is not supported.

I’ve made a workaround by using a bookmark in Okta