Authentication - SAML - Skip Login Page and Redirect to IdP

Overview

This guide explains how to bypass the Keycloak login page entirely and redirect users straight to your SAML Identity Provider (IdP) using a custom authentication flow.

Prerequisites

  • Keycloak admin console access
  • A SAML Identity Provider already configured in your realm (under Identity Providers) as described in Authentication - SAML
  • Note your IdP Alias (e.g. my-saml-idp) - you will need it below

Step 1 - Duplicate the Browser Flow

  1. Open the Keycloak admin console and select your realm.
  2. Go to AuthenticationFlows.
  3. Select the Browser flow from the list.
  4. Click Duplicate (or the action menu → “Duplicate”).
  5. Give the new flow a descriptive name, e.g. browser-idp-only.

Step 2 - Remove Username/Password Executions

Inside your new browser-idp-only flow:

  1. Find and Delete (or set to Disabled) the following executions:
    • Username Password Form
    • OTP Form (if present)
  2. Leave the Identity Provider Redirector execution in place.

Step 3 - Configure the Identity Provider Redirector

  1. On the Identity Provider Redirector row, click the gear icon (Settings / Config).
  2. Set Default Identity Provider to the alias of your SAML IdP (e.g. my-saml-idp).
  3. Save the configuration.
  4. Set the Identity Provider Redirector requirement to Required.

Your flow should look similar to this:

Execution Requirement
Cookie Alternative
Kerberos Disabled
Identity Provider Redirector Required

Step 4 - Bind the New Flow to the Browser Binding

  1. Go to AuthenticationFlows.
  2. Select your new browser-idp-only flow from the list.
  3. Click the three-dot menu (⋮) on the right.
  4. Click Bind flow.
  5. In the dialog, select Browser flow as the binding type.
  6. Click Save.

Any login attempt will now automatically redirect users to your SAML IdP — no Keycloak login page will be shown.

Verifying the Configuration

  1. Open a private/incognito browser window.
  2. Navigate to your application’s login URL.
  3. You should be redirected immediately to your SAML IdP — no Keycloak login form should appear.

If the Keycloak login page still appears, check:

  • The Browser Flow binding is saved correctly under Authentication → Bindings.
  • The Identity Provider Redirector is set to Required (not Alternative or Disabled).
  • The Default Identity Provider alias exactly matches the alias shown under Identity Providers.

Reverting

To restore the standard login page at any time:

  1. Go to AuthenticationBindings.
  2. Set Browser Flow back to Browser (the built-in default).
  3. Click Save.