I see that the topic name is somewhat ambiguous. I apologize for that.
As you suggested, I will explain the procedure to make the problem easier to understand.
For the explanation I will name the three apps with the name of the protocol they are using.
- SAML1
- SAML2
- OIDC
My testing workflow is:
- Revoke all sessions on keycloak side for all users.
- As a precaution, i delete all app cookies in the browser.
- Then I try to access directly the app SAML1.
- SAML1 redirects me to the keycloak realm login page, where I enter the username: testuser and password.
- After a successful login, keycloak redirects me back to the SAML1 app, where I now logged in as the testuser
- Then, I try to access directly the app SAML2.
- The SAML2 app redirects me also to keycloak, but keycloak immediately redirects me back to the SAML2 app, which I now logged in as testuser
- Now, I try to access directly the app OIDC.
- The OIDC app then redirects me to keycloak, where I am landing at the realm login page, where I have to enter again username: testuser and password.
- After a successful login, keycloak redirects me back to the OIDC app, where I now logged in as the testuser
For my understanding, step 9 should be similar to step 7.
The same behavior also happens the other way round.
When the first app I want to login to is the OCID app, then i also have to login again on keycloak side for the first SAML app i want to login to. Then for the second SAML app, i dont have to login again.