SAML Response from Azure AD not transferred to SP Client with KeyCloak as Identity Broker

[Robbert R]

Hi, 

I hope someone from this group can help me.

I want to set up SSO for a client application with Azure AD as Identity Provider and Keycloak as Identity Broker in the middle.

From the client application a SSO login, takes the user to Keycloak where the user can select the configured Azure AD option. The user gets redirected to Azure AD, enters credentials. Then a valid SAML Response is generated. 

But that valid SAM Response from Azure AD doesn't get redirected to the client application. The browser page of the user 'stays' within Keycloak.

I have made screenshots of all relevant configuration and included them in the attached zip file.

Thanks,

Robbert

[Robbert R]

Issue has been resolved. Connection has been established.

Solution:

1. remove Namespace in claim definition in Azure AD (client application doesn't deal with it).

2. In the Client definition in Keycloak turn on 'Sign documents' to get rid of error of signature missing in SAML Response.

3. in IDP definition set 'First login flow' to the ootb (restore it to that first) 'First login flow', Post login flow to 'None' and Sync mode to 'Import'.

4. In IDP definition Mappers set the mandatory attributes as basic as possible (becasue in step 1, most is done in AAD already): 

    *) Sync mode override to "Inherit"

    *) Mapper type to "Attribute Importer"

    *) Name Format to "ATTRIBUTE_FORMAT_BASIC"

    and exact name and casing as required by the client application.

Regards,

Robbert