No REDIRECT to browser - JBoss EAP 7.4, KeyCloak SAML

Configuring the server
,
1

Have been trying to upgrade an app that has been successfully running for the past 2 years from JBoss EAP 7.0 / Keycloak SAML to EAP 7.4 / Keycloak SAML. EAP 7.0 is in de-support so we need to upgrade.

However the REDIRECT to the SAML idp is not being sent to the browser so authentication fails.
Have tried different versions of Keycloak (3.4.3 [that was successfully used in EAP 7.0],14.5.0, 5.0.2, 17.0.0) with the same result.

Keycloak is deployed as per instructions and adapter-elytron-install-saml.cli run.
EAP 7.4 is configured to use the newer Elytron security (the default).

standalone.xml settings for IDP are (with certain names changed for privacy) :

<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.4">
    <secure-deployment name="test.war">
        <SP entityID="urn:org:test.local" sslPolicy="ALL" nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
            <PrincipalNameMapping policy="FROM_NAME_ID"/>
            <RoleIdentifiers>
                <Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/>
            </RoleIdentifiers>
            <IDP entityID="idp">
                <SingleSignOnService signRequest="false" validateResponseSignature="true" requestBinding="REDIRECT" bindingUrl="https://soaadfs.org/adfs/ls"/>
                <SingleLogoutService postBindingUrl="not used"/>
                <Keys>
                    <Key signing="true">
                        <KeyStore password="password" file="C:/Users/Public/key/saml-truststore.jks">
                            <Certificate alias="soaadfs2"/>
                        </KeyStore>
                    </Key>
                </Keys>
            </IDP>
        </SP>
    </secure-deployment>
</subsystem>

I’ve built a bare-bones project that only has a single xhtml file, no Java code, and relevant web.xml, jboss-web.xml and jboss-deployment-structure.xml.
I’ve built a version 17.0.0 Keycloak with extra debug statements added.
From that I can see that the Keycloak code is being called, a saml document is being built and org.keycloak.adapters.saml.SamlUtil.sendSaml is being called - but no redirect sent back to the browser.

15:02:35,932 DEBUG [org.keycloak.adapters.saml.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-1) Evaluating request for path [https://localhost:8443/test/secure/index.xhtml]
15:02:35,959 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-1) SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler@507439f]
15:02:35,960 DEBUG [org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler] (default task-1) doHandle
15:02:35,962 DEBUG [org.keycloak.adapters.saml.SamlSessionStore] (default task-1) session was null, returning null
15:02:36,986 DEBUG [org.keycloak.saml.common] (default task-1) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2022-04-11T05:02:36.786Z
15:02:36,998 DEBUG [org.keycloak.adapters.saml.AbstractInitiateLogin] (default task-1) AbstractInitiateLogin - sendAuthnRequest - isAutodetectedBearerOnly = false
15:02:37,124 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) sendSaml
15:02:38,058 DEBUG [org.keycloak.saml.BaseSAML2BindingBuilder] (default task-1) saml document: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://soaadfs.org/adfs/ls" ForceAuthn="false" ID="ID_19c59f9b-6793-46f3-ab03-9e6a865e939c" IssueInstant="2022-04-11T05:02:36.786Z" Version="2.0"><saml:Issuer>urn:org:test.local</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></samlp:AuthnRequest>
15:02:38,233 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) actionUrl https://soaadfs.org/adfs/ls
15:02:38,237 DEBUG [org.keycloak.saml.BaseSAML2BindingBuilder] (default task-1) saml document: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://soaadfs.org/adfs/ls" ForceAuthn="false" ID="ID_19c59f9b-6793-46f3-ab03-9e6a865e939c" IssueInstant="2022-04-11T05:02:36.786Z" Version="2.0"><saml:Issuer>urn:org:test.local</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></samlp:AuthnRequest>
15:02:38,240 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) responseUri https://soaadfs.org/adfs/ls?SAMLResponse=jZ..[redacted]..%3D
15:02:38,240 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) sendSaml REDIRECT to https://soaadfs.org/adfs/ls?SAMLRequest=jZ..[redacted]..%3D
15:02:38,242 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) Response class=class org.keycloak.adapters.saml.elytron.ElytronHttpFacade$2
15:02:38,244 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) Response setStatus() - done
15:02:38,246 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) Response setHeader() - done
15:02:38,247 DEBUG [org.keycloak.adapters.saml.SamlUtil] (default task-1) Response end() - done

At this point the response should be sent back to the browser - it’s never sent.
I have turned on Undertow’s request-dumper filter so can confirm it’s not sent from the server.
Refreshing the page goes through the same process again.

The generated REDIRECT URL is correct - if I copy that and open in the browser I can see SAML token processing happening on the server from debug statements and the target page is successfully opened. From then on all calls back to the server send the token (verified in the browser)

15:03:57,589 DEBUG [org.keycloak.adapters.saml.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-1) Evaluating request for path [https://localhost:8443/test/secure/index.xhtml]
15:03:57,590 DEBUG [org.keycloak.adapters.saml.SamlAuthenticator] (default task-1) SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler@6158485b]
15:03:57,590 DEBUG [org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler] (default task-1) doHandle
15:03:57,592 DEBUG [org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler] (default task-1) AUTHENTICATED: was cached

I have tried many ways to resolve this but have hit a hard brick wall.
I cannot find any similar issues from many web searches.

A colleague has been able to replicate the issue in their own environment so doesn’t appear to be a one-off.

Any help/hints appreciated!