IdP initiated login from Okta to Keycloak

[Fabio Grasso]

Hello there, I’m facing an issue with Okta and Keycloak, similar to what it was reported here: https://keycloak.discourse.group/t/keycloak-as-sp-for-saml-idp/514/7

When login starts from Keycloak (we can call it “SP initiated”) it works fine (I have an issue with account linking, but the SAML login is fine), but when I start from Okta (IdP initiated) it doesn’t works and I see this error in logs:

08:19:56,497 DEBUG [org.keycloak.saml.common] (default task-229) org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2020-06-04T08:19:56.497Z
08:19:56,497 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-229) Evaluating Conditions of Assertion id37421891469951621571969445. notBefore=2020-06-04T08:14:56.167Z, notOnOrAfter=2020-06-04T08:24:56.167Z, updatedNotBefore: 2020-06-04T08:12:56.167Z, updatedOnOrAfter=2020-06-04T08:26:56.167Z, now: 2020-06-04T08:19:56.497Z
08:19:56,498 DEBUG [org.keycloak.saml.validators.ConditionsValidator] (default task-229) Assertion id37421891469951621571969445 validity is VALID
08:19:56,498 WARN  [org.keycloak.events] (default task-229) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=[my_realmId], clientId=null, userId=null, ipAddress=[my_ip], error=invalidRequestMessage
08:19:56,498 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-229) invalidRequestMessage

I've found some documentation taling about IdP initiated login (here https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/saml/idp-initiated-login.adoc), but this is related to clients and not for Identity Providers. I wasn’t able to find documentation about using an external IdP with IdP initiated login flow.

Any suggestion on how configure it for accept inbound login flow?

Thanks in advance,

Fabio