Re: [keycloak-user] SaaS idp brokering

I used to work with PingIdentity (or rather on-premise PingFederate) and Okta, using SAML in both cases, and the results were perfect. For Okta, I'd recommend an excellent article by Michael Furman [1]. Michael uses SAML too; don't know if you're going to use SAML or OpenID Connect, but in the latter case the process should be similar. Please read this [2] on the protocol choice. NB you can use whatever combination of protocols you like (OIDC at Keycloak + SAML at Saas IdP or vice versa), but probably unless you're seriously considering IdP-initiated login. In that case, things work more smoothly with pure SAML.