Context
We are migrating an existing SAML Service Provider (SP) application to Keycloak,
where Keycloak will act as an SP and broker authentication to multiple external
customer Identity Providers (IdPs).
To ensure zero impact on our customers, we have kept the following identical between
the old SP and Keycloak:
EntityID- SP signing certificate
AssertionConsumerServiceURL(ACS URL)
The ACS URL format we need to preserve is:
https://mycompany.com/myapp/Main/ad/samlAuth/SSOActions
We use Nginx as a reverse proxy that routes the SAML POST response from the
customer IdP to Keycloak’s internal broker
https://mycompany.com/.../SSOActions
→ https://keycloak-internal/realms/pqr/broker/<idp-alias>/endpoint
Problem
When Keycloak generates the SP-initiated AuthnRequest, it sets the
AssertionConsumerServiceURL to its own internal broker endpoint:
https://keycloak-host/realms/broker/<idp-alias>/endpoint
However, we need Keycloak to set it to our custom external ACS URL:
https://mycompany.com/myapp/Main/ad/samlAuth/SSOActions
This is critical because:
- The customer IdP validates the ACS URL in the AuthnRequest against its registered SP metadata
- We cannot ask customers to update their IdP configuration
Question
Is there a supported, configuration-only way in Keycloak to override the
AssertionConsumerServiceURL in the outgoing SAML AuthnRequest when using
Keycloak as an Identity Broker (SP)?