I’m trying to set up multiple SAML clients within a single Keycloak realm (Keycloak is the IdP). The idea is to have multiple SAML clients for the same SP within the same realm. SAML client 1 will be used by Entity A and SAML client 2 will be used by Entity B.
The Service Provider is an external application for which the Issuer in the SAMLRequest is the same for all customers (let’s call it https://test.net/).
Creating the 1st SAML client in Keycloak is no problem, all works fine. When creating the second SAML client in the same Keycloak realm, I get an error when setting the Client ID because the Client ID usually needs to match the SP Issuer but since https://test.net/ is already taken by the Client ID of the 1st SAML client in Keycloak, I cannot add a second SAML client with the same Client ID.
If I change the Client ID of the second SAML client to something else other than https://test.net/, then the SAML flow breaks because the Issuer passed in the SAMLRequest by the SP does not match the Client ID of the 2nd SAML client in Keycloak.
Other IdPs such as Azure AD and Okta provide a unique Login SAML endpoint per SAML Client so that by the time the SP calls the IdP SAML endpoint the IdP already know which SAML client the user should be authenticated against, and does not rely on the SP Issuer.
How can I have a unique SAML endpoint per SAML client in the same Realm so that Keycloak does not solely rely on the SP Issuer?