Keycloak works for Office365 but fails for SharePoint Online

Hoping someone has an idea here as Microsoft support is running out of ideas.

I have Keycloak connected to my domain with LDAP. That domain is synced with AzureAD.
After setting up my Tenant to connect with Keycloak using SAML, I am able to log in at or with no issue. If I go directly to SharePoint, it fails after login. If I go to and log in with Keycloak first, then Sharepoint accepts the login fine.

It makes no sense that it works on the other microsoft logins but not sharepoint.

Any ideas would be greatly appreciated.

Replying with the solution that we discovered with Microsoft. The issue turned out to be that I had created a Keycloak integration by direct federation under the External Identities in Azure.

When I removed this, SharePoint started using the correct saml configuration instead of this Azure one.

I’m trying to use Keycloak as the identity provider to sign in into SharePoint Online.
Once I’ve configured Keycloak, do I need to add it the External Identities to make this work?
I’m missing the part of the direct federation… is there another way to make keycloak as idp in azure?

Thank you.

So you definitely do NOT want to add it to External Identities, that is what was breaking mine.

I used some of the info from here: Azure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure - Microsoft Entra | Microsoft Learn

Basically you open powershell and use: Connect-MsolService
Then set up the federation

This is what mine looked like

$dom = "[DOMAINNAME]" 
$BrandName = "[BrandName]" 
$LogOnUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$LogOffUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$ecpUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$MyURI = "urn:federation:MicrosoftOnline" 
$MySigningCert = "[KeycloakSigningCert]" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication `
  -DomainName $dom `
  -FederationBrandName $BrandName `
  -Authentication Federated `
  -PassiveLogOnUri $LogOnUrl `
  -ActiveLogOnUri $ecpUrl `
  -SigningCertificate $MySigningCert `
  -IssuerUri $MyURI `
  -LogOffUri $LogOffUrl `
  -PreferredAuthenticationProtocol $Protocol

I’m going to try to write up the whole process, but if this doesn’t get you working, let me know.