We are using keycloak 4.5.0 for SP-initiated and IdP-initiated auth flows.
We are using Auth0 as the external IdP for test purposes.
We have managed the SP-initiated flow successfully. But we are facing
issues with IdP initiated flow. I was hoping you could help.
1. Will the external IdP need two separate clients to connect to our
keycloak instance, one for SP-initiated and other for IdP. PFA the metadata
we generated for SP-initiated flow. The SingleLogoutService.Location and
AssertionConsumerService.Location are '
But, for IdP initiated flow, we are having to replace the above with '
This would result in 2 clients on the external IdP side.
Is there a way to avoid this?
2. With the IdP initiated flow, we are also facing issues with backchannel
logout. It gives a certificate issue. What certificate does keycloak
expect? The SP client's or the external IdP's?
Any help will be appreciated!
Thank you once again.