IDP-Initiated SSO from Okta using Keycloak Broker and SAML 2.0

I am looking to configure a SAML 2.0 based IDP-initiated SSO solution using Okta IDP with Keycloak v26 as an identity broker i.e. user clicks on an application tile in Okta and this sends the SAML 2.0 Response to Keycloak which then redirects the user to the client application where they are logged in.

According the Server Admin Guide here ( Server Administration Guide ) this should be supported out of the box? I am not finding the explanation very clear. This functionality has been advertised since at least version 21 but I can’t find examples anywhere showing how people have done this.

I have seen the usual links that have achieved the same result ( IDP initiated Login with Keycloak — Lumilinks and Keycloak with Okta IDP Initiated SSO Login | Lisenet.com :: Linux | Security | Networking ) but these seem to rely on coding some kind of additional redirect proxy and in other areas they do not follow the docs (e.g. the format of the POST Binding URL). Have I misunderstood the documentation - is what I’m trying to achieve possible out-of-the-box as the guide suggests or will I have to create a redirect application etc. as described in these links?

Any help gratefully received

Thanks

I think what’s worrying me is the statement in the admin guide that says “…This means that in client settings at the external IDP: IDP Initiated SSO URL Name is set to a name that ….”.

Here the guide is talking about the external IDP as being Keycloak (since the parameters it wants to set are Keycloak ones and not something you find in other IDPs like Okta, for example). This would indicate that only IDP-initiated SSO is supported when the IDP and broker are both Keycloak. Just wanting some clarification