cookie_not_found" on IdP-Initiated SAML login via Azure AD behind NGINX Ingress

Securing applications
,
1

Hi there,

I’m using Keycloak 26.0.7 (PhaseTwo image) deployed in Kubernetes (EKS) behind an NGINX Ingress Controller (v1.11.3), and trying to configure IdP-initiated SAML login with Azure AD.

After Azure AD redirects back to Keycloak, I receive the following error:

makefile

CopyEdit

IDENTITY_PROVIDER_LOGIN_ERROR: cookie_not_found

On the page, Keycloak shows:

Cookie not found. Please make sure cookies are enabled in your browser.

:wrench: Environment:

  • Keycloak: 26.0.7 with Keycloak Operator
  • Ingress Controller: nginx-ingress-controller v1.11.3
  • TLS: Wildcard certificate for *.countrynavigator.com
  • Ingress host: https://apiv2-dev.countrynavigator.com/auth

Ingress annotations:

yaml

CopyEdit

annotations:
  nginx.ingress.kubernetes.io/backend-protocol: HTTP
  nginx.ingress.kubernetes.io/proxy-cookie-samesite: None
  nginx.ingress.kubernetes.io/proxy-cookie-secure: 'true'
  nginx.ingress.kubernetes.io/use-forwarded-headers: 'true'
  nginx.ingress.kubernetes.io/configuration-snippet: |
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

:white_check_mark: What I’ve already checked:

  • Environment variables are set:
    • KC_PROXY=edge
    • KC_PROXY_ADDRESS_FORWARDING=true
    • KC_KEYCLOAK_SAMESITE_COOKIE=None
    • KC_KEYCLOAK_SECURE_COOKIE=true
  • Ingress TLS works and HTTPS is used end-to-end
  • Browser DevTools show no cookies are set
  • No SameSite or Secure errors in browser
  • X-Forwarded-* headers are passed
  • Keycloak logs show:

Non-secure context detected; cookies are not secured...

:thinking: My suspicion:

  • Keycloak may not recognize the request as secure
  • Ingress might be misconfigured for forwarding headers or protocol
  • There’s a conflict in SameSite=None + Secure + third-party iframe (common with SAML IdP-initiated logins)
  • Or, the NGINX Ingress controller isn’t trusting forwarded headers despite annotations

:red_question_mark: Questions:

  1. How can I ensure that Keycloak properly sets cookies in an IdP-initiated SAML flow via Azure AD?
  2. Should I switch the service targetPort to 8443 and enable HTTPS fully in the cluster?
  3. Is any additional nginx.ingress.kubernetes.io/configuration-snippet logic required?
  4. How can I confirm that Keycloak recognizes the request as secure and allows secure cookies?

Any advice or working configuration examples would be much appreciated! :folded_hands: