Keycloak IDP-initiated flow with OIDC application

Getting advice
, , ,
1

Hello community,

I have the following situation:

In the realm called: test-realm

  1. An application that uses OIDC for authentication with Keycloak (e.q: we can also use the security-admin-console for this example).
  2. A Keycloak Identity provider ‘okta-broker’ used to consume the SAMLResponse from Okta when the user click the Application to initiate the flow.
  3. A Keycloak SAML 2.0 client ‘test-client-saml-oidc’ with the IDP-Initiated SSO URL name: okta-client
  4. A OKTA identity provider with the IDP-initiated flow setup configured. The Single Sign on URL : {kc_domain}/realms/test-realm/broker/okta-broker/endpoint/clients/okta-client

By default the SAML 2.0 client configured at step 3 will forward the response from Okta to another entity which consumes SAML. For OIDC this doesn’t work out of the box.
What I did was to go to the client Advanced Settings and enable the REDIRECT binding, which I populated with the value of the HomeUrl “http://localhost:8080/admin/test-realm/console” of the ‘security-admin-console’.

Exported client.json:

{
  "clientId": "test-client-saml-oidc",
  ....
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": false,
  "publicClient": true,
  "frontchannelLogout": true,
  "protocol": "saml",
  "attributes": {
    "saml_assertion_consumer_url_redirect": "http://localhost:8080/admin/test-realm/console/",
    "saml.force.post.binding": "false",
    "saml_idp_initiated_sso_url_name": "okta-client"
    ...
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "defaultClientScopes": [
    "saml_organization",
    "role_list"
  ],
  "optionalClientScopes": [],
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
}

With this method I’m logged in in both the SAML client ‘test-client-saml-oidc’ and the ‘security-admin-console’.

Screenshot from 2025-02-26 16-50-31
Screenshot from 2025-02-26 16-50-311739×885 44.6 KB

This is possible because the “browser” authentication flow has the “CookieAuthenticator” which will attach a session in security-admin-console to the root session test-client-saml-oidc .
Could a similar logic be added to the SAML client (or a special client implementation) in order to make the IDP-init client to redirect to a OIDC application?

2

FYI cross-post from Keycloak IDP-initiated flow with OIDC application · keycloak/keycloak · Discussion #37669 · GitHub