[keycloak-user] broker saml - forbidden

Hi I'm implementing a solution as shown saml-broker-authentication, trying to protect a war (spring-rest). All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC tocken back from Keycloak , but when it returns back to the URL I was initially hit, I get forbidden. Anyone gone through this pain - any tips? Thank you. John