Problem with brokering

Hello, please if anybody could help me/us, I will be very thankfull.
In our company, we use keycloak as Identity Provider ( = IdP) for our app. It is working well if we using only ldap/local account in keycloak, but we need to be able authenticate user, whom not have identities in our keycloak but have identity at b2access IdP. I have configured b2access client, also all at our side at keycloak, but we are not able to get access token from b2access IdP .
authorization flow is - in app, we initialize autorization throught keycloak (works throught ldap/local account) and we chooze another IdP => after login to another IdP and allowing to access user info (profile email openid) we are redirected back to keycloak, but error occur. in url, there is correct name of client, but thats all and token is not sent back to api of our app.
in keycloak log (docker instance), there is’t much:

08:34:10,265 WARN [] (default task-17) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=IT4i_AAI, clientId=IT4I_IRODS_AUTH, userId=null, ipAddress=, error=identity_provider_login_failure, code_id=188e0823-5a31-4202-8955-6565bdb97040, authSessionParentId=188e0823-5a31-4202-8955-6565bdb97040, authSessionTabId=vfsOiRYN5qQ

all endpoints are auto-imported from url, so typo no errors… in b2access, there is redirect uri to our endpoint

in b2access
https://our-domain:8443/auth/realms/IT4i_AAI/broker/b2access-it4i/endpoint , client name is correct, there isn’t problem .

I’m confused, if there is need to be some broker-client setted up or something. i tried to set-up broker client with read.token role and add this as a mapper to b2access IdP, but this was just “playing with the balls”