Keycloak as SP with external SAML IDP


We have setup our app such that app is configured as oidc client of keycloak and keycloak is configured as SAML SP to external SAML IDP. Now we do SP initiated SSO from the APP using
kc_idp_hint such that user starts from app and gets redirected to keycloak and keycloak redirects user to IDP. After authentication from IDP user browser comes to keycloak and keycloak generated authz code and redirects user to app and now app exchange the code with Keycloak to get user attributes. This flow is working as expected, now we want IDP initiated flow such that user click link on IDP (IDP generated SSO link) and user lands on APP, we see that it fails after landing on Keycloak . Is there any way we can get it working so that both IDP initiated flow as well SP initiated flow works in the app. (while app is oidc / oauth client with keycloak).

Vijay Abhi

Hi @vijay, my scenario is the same. I want to ask that this is solved for you?

hi all,

any update with this subject? I’ve been searching without any luck

I’ve spent a bit of time trying to better understand this and from what I can tell, Keycloak requires the ACS URL to be defined on a per-client level for IdP-initiated SSO. This means that the standard, exportable SAML metadata will not be valid for IdP-initiated SSO.

The ACS URL for a SAML client will be root/auth/realms/{realm}/protocol/saml/clients/{url-name} per the Keycloak documentation ( while the ACS URL for a SP-initiated SSO will be root/auth/realms/{realm}.

From my experience with SAML, I have not seen an ACS that would be configured for separate endpoints, meaning that if you want to support BOTH IdP and SP-initiated SSO, you would need to set up two distinct SPs (one for IdP-init, one for SP-init). This way the SAML metadata would remain accurate for export/URL-sharing AND the same ACS could be used for both IdP and SP-initiated SSO.

I would love to see an enhancement to Keycloak that would allow for consuming SAML from an external IdP, and relying on something protocol-specific (like the relayState URL) to forward to the downstream client that the end-user is attempting to access.

Hope that helps!

Hi @vijay, could you share some details about the setup of the “kc_idp_hint” ?
I’ve configured KC as SP with external SAML IDP, does it mean I need to create a client for this external SAML IDP?

@jolson_wfs In IDP initiated SSO from external IDP, so keycloak(as SP) is not using RelayState value for redirecting to client app? I have just created another thread for this Relay State in IDP initiated SSO from external IDP.