[keycloak-user] Questions around keycloak IdP initiated flow

Hi all We are using keycloak 4.5.0 for SP-initiated and IdP-initiated auth flows. We are using Auth0 as the external IdP for test purposes. We have managed the SP-initiated flow successfully. But we are facing issues with IdP initiated flow. I was hoping you could help. 1. Will the external IdP need two separate clients to connect to our keycloak instance, one for SP-initiated and other for IdP. PFA the metadata we generated for SP-initiated flow. The SingleLogoutService.Location and AssertionConsumerService.Location are ' https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-s... ' But, for IdP initiated flow, we are having to replace the above with ' https://shaktimaanhub.bsstag.com/auth/realms/browserstack/broker/oracle-s... ' This would result in 2 clients on the external IdP side. Is there a way to avoid this? 2. With the IdP initiated flow, we are also facing issues with backchannel logout. It gives a certificate issue. What certificate does keycloak expect? The SP client's or the external IdP's? Any help will be appreciated! Thank you once again.