IDP Initiated SAML SSO - cookie not found error (Keycloak as broker)

I’m on Keycloak version 22.0.3 and am using it as a broker between my app and Okta IDP (SAML)

SP-Initiated SSO working fine, but am running into problems when I go the other way and configure it for IDP-initiated SSO. Okta is sending the SAML login response to Keycloak which is immediately logging a Cookie Not Found Error.

Is this an issue that would be fixed with an upgrade to version 26?

The Keycloak admin guide mentions that IDP-initiated SSO is supported ( Server Administration Guide ) but does not mention anything about cookie issues, although I note that cookie changes were made is versions 25/26. I noted this post which suggested that some NGINX and KC_PROXY_HEADERS changes may also be required.

It would be good to get some clarification on how this issue can be resolved.

Thanks in advance.

AFAIK Keycloak only supports IdP initiated SSO when Keycloak is the IdP.
In case of federation/brokering, Keycloak is the client, not the IdP.

I found this guide to be the best/only one out there for configuring IdP-initiated SSO between Keycloak and Okta.:

https://www.lisenet.com/2020/keycloak-with-okta-idp-initiated-sso-login/

We did a derivative article, which was largely informed by the above:

Thanks Both, I have this link and also IDP initiated Login with Keycloak — Lumilinks which, however, requires me to create a re-direct end-point in my app. I was hoping to avoid this by having a config-only solution

In case it is useful to anyone else, I managed to solve the cookie not found issue with an upgrade to version 26 and some environment changes to KC_PROXY_HEADERS and proxy_cookie_flags as described here: SAML IDP initiated SSO getting cookie_not_found error · Issue #20490 · keycloak/keycloak · GitHub