"unkown flow provider type" with multiple IDPs on a broker setup


we have Keycloak 24 setup as a broker in our external DMZ to link to our internal Keycloak via SAML.

We configured the identity provider on the broker and the client on the internal keycloak and the authenticaiton went fine.

We then wanted to add a second IDP to the broker, so that users could choose with which IDP they wanted to authenticate.

The second IDP was also connected via sAML.

However whenerver we try to access the second IDP we get an error:

Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Unknown flow provider type

The IDPs are accessed via a very simple Basic Authentication Flow, containing 2 IDP-Redirector steps, marked as “Alternative”

Is our setup faulty or is this a bug in keycloak 24?

What else can I provide to help with a diagnosis?


I guess it’s this bug, which is fixed in 24.0.2:

Don’t know if it also fixes existing flows, perhaps you’ll have to recreate your existing flow.

WRT to your description of your use case: I don’t understand why you would use two idp-redirectors as alternatives. If the idp-redirectors are the default ootb ones, that doesn’t make sense to me.
What exacty do you want to achieve?


thank you for the information.
It seems that this is exactly what is causing our problems.

As to you question on what we are trying to do.
As of this moment we are merely playing around with keycloak and its possibilities.

Let’s say I have three different IDPs for my customers.
And for specific clients I want only 2 of them visible on the broker screen.

Then I could go and create an authflow that has two IDP-Redirector-Steps, with a specific IDP set for each one? Would that work?


We have updated to 24.0.2

When I use an auth flow with a single IDP-Redirector and I DONT specify which IDP it should use, I still get an Authentication Exception in the logs.
Though not the same as before, it doesnt say what exactly went wrong…

However when I specify an IDP to use in the step it works as expected.

I had hoped by leaving the default IDP field empty, keycloak would show seperate buttons to login with the IDP of you choice?

Is this still a technical problem or is my configuration wrong?

I can get it to work if I include a username/password steop in the auth flow.
Then keycloak shows the standard login form and below that the 2 IDP-Login buttons.
But we want to see only the buttons for the IDPs.
Is that possible?



The idp redirector authenticator is not about giving a choice to the user, it’s only about redirecting upon certain conditions (either query param or default config). If no condition is met, it does nothing.

As you already found out, the user has the choice of the configured IdP’s on the username-/username-password form itself. There’s no option to “just display the IdP options” ootb. Easiest approach would be to adjust the login.ftl in your custom theme to not show the form, but only the idp-buttons.