Hi. I have a client application using SAML to authenticate to Keycloak, which is ultimately brokering authentication to an external IDP (Okta). My client application passes a RelayState to Keycloak which I can see in the requests. However, when the user completes authentication via Okta the initial RelayState passed from my client is lost. Is there any way to preserve this? via configuration or custom plugin implementation.
I have attempted to create my own auth plugin, inheriting from keycloak’s username/password form where I store the relay state query parameter in an auth and client note. However it looks like this is lost by the time the client mappers are invoked when login is completed and the final SAML assertion is being generated.
Would be grateful for any advice.