Relay State in IDP initiated SSO from external IDP

I am implementing IDP(external IDP) initiated SSO with Keycloak as SP provider. Currently I am able to successfully configure the IDP initiated SSO from external IDP, but I see issue with RelayState url
Here is the flow

  • User logs into IDP
  • Click on app which is set for IDP initiated SSO
  • IDP sends SAML assertion along with post param RelayState
    (eg: RelayState →
  • Keycloak verifies the assertion and logs the user and redirects to

Seems like Keycloak is not using RelayState sent from external IDP. Anyone faced this issue before?

Hi @keycloak_user , did you get the IDP initiated SSO to work? If so, kindly let me know if your workflow is similar to the following:

  1. Login to my identity provider (like ping, okta, Azure AD etc)
  2. Click on the app that my admin has created
  3. Clicking on the app should SSO the user to keycloak (where I have created an Identity Provider and a client)