Configuration for using Keycloak as Identity Broker and my Spring boot application as Identity provider for SAML SSO

Question

I am trying to login into a third party application(Sentry in this case) using SAML SSO. Here we have selected Keycloak as Identity broker, and my own application(front end in react and backend in spring boot) acting as Identity provider which will contain the users and remain source of truth.

First below is the configurations I created:

1. Created an Identity provider(XYZ) in Keycloak and gave SSO URL of my application login page.
2. Created a client in Keycloak for Sentry with few details.
3. Configuration in Sentry and imported IDP metadata from keycloak realm IDP metadata SAML 2.0 Data.
4. Made XYZ identity provider as default in Keycloak.

Flow: SP-Initiated Flow

1. Land on Sentry and it shows to Login with SAML.
2. As I initiate Sentry sends a SAML Authentication request to keycloak, which redirects me to login page of my Application(XYZ).
3. I provide credentials and authenticate the user and generate a SAML Response at my application XYZ.
4. I redirect the browser then from XYZ app to Keycloak using the redirect URI i get from Identity provider i configured. But I get exception of Invalid saml response.

Regarding the above flow I described, I have few questions which if get clear can help me complete this flow and create my understanding around the same.

1. After Sentry generates SAML authentication request, Keycloak redirects the SAML authn request as is it to my XYZ application. Is it the right behavior ?
2. If I understand it right, I need to verify this SAML authn request and generate a SAML response. This SAML response should be intended for Keycloak or Sentry? I mean to say is since Keycloak is a broker, won't it be parsing my SAML response and generate a new SAML response for Sentry ? Am I right in this or missing something.
3. If Keycloak is going to parse and verify my SAML response, what should exactly be the structure of my response , do I need to somehow create SAML response as per some standard so Keycloak can verify it?
4. Shouldn't the SAML response be the response to the SAML authn request started by Sentry ?
5. What should be the RelayState value ?
6. Will the IDP configuration also need to have data related to Sentry ?

Well all these burning questions are kind of giving a tough time.

Answer 1

I am able to understand the flow and implemented the SSO complete flow. One thing is we need to accept RelayState being sent with Service provider SSO request. Here i was ignoring this, by adding this and sending a valid saml response back to Keycloak, keycloak verifies my saml response and if I have mappers created, maps those attributes and sends back the response to Service provider. I needed some extra configuration for attribute mappers and Authentication flow of first broker login. Post which I was able to redirect directly to Sentry