Specific case where Keycloak loops on querying one identity provider
The Realm setup:
- OIDC client
- A SAML identity provider configured to query an ADFS instance.
- "First broker login" authorization flow configured to use this saml identity provider only
If the user exists in the ADFS and is granted access, everyhting works fine.
But if the user doe snot have access to the ADFS party trust, the authentication flow goes in loop between these 2 URLs:
- POST https://adfsdomain/adfs/ls responds 200 with status code : `urn:oasis:names:tc:SAML:2.0:status:RequestDenied`
- POST https://keycloak/auth/realms/REALM/broker/saml/endpoint/ responds 303
and so on
Is this a configuration issue ?
it seems that the response send out by the ADFS instance is not well understood by keycloak in this case, is it out of the SAML standard protocol ?