SAML Login Fails Silently After Successful Keycloak Authentication - ACS Returns 302 to Login Page with No Log Output #18753
Description
After completing Keycloak SAML authentication successfully, Snipe-IT redirects back to the login page with "There was a problem while trying to log you in, please try again." The SAML response from Keycloak shows Status Success, NameID matches the Snipe-IT username exactly, and all required attributes are present. No errors appear in laravel.log even with APP_DEBUG=true. Running behind Nginx Proxy Manager on Docker.
Snipe-IT: Latest Docker image (snipe/snipe-it:latest)
Keycloak: 26.1.4 (Docker)
Reverse Proxy: Nginx Proxy Manager
Snipe-IT URL: https://inv.example.com/
Keycloak URL: https://sso.example.com/
Both running in Docker with a shared Docker network
Session Driver: File
APP_TRUSTED_PROXIES: default (not modified)
What I have configured
In Keycloak I created a SAML client with the following settings:
Client Type: SAML
Client ID: https://inv.example.com/
Root URL: https://inv.example.com/
Valid Redirect URIs: https://inv.example.com/*
Master SAML Processing URL: https://inv.example.com/saml/acs
Name ID Format: username
Force Name ID Format: On
Sign Documents: Off
Sign Assertions: Off
Client Signature Required: Off
I added three mappers under the client's dedicated scope:
email (User Property → email)
firstName (User Property → firstName)
lastName (User Property → lastName)
I removed the role_list mapper entirely to eliminate duplicate Role attributes.
In Snipe-IT SAML settings I have configured:
SAML Enabled: On
IDP Metadata URL: https://sso.example.com/realms/myrealm/protocol/saml/descriptor
Attribute Mapping Username: blank (using NameID)
SAML Force Login: Off
SAML Single Log Out: Off
Custom Settings:
baseurl=https://inv.example.com/saml
sp.entityId=https://inv.example.com
sp.assertionConsumerService.url=https://inv.example.com/saml/acs
security.authnRequestsSigned=false
security.logoutRequestSigned=false
security.logoutResponseSigned=false
security.wantMessagesSigned=false
security.wantAssertionsSigned=false
debug=true
What is happening
The SAML flow appears to complete successfully on the Keycloak side. The user authenticates, Keycloak returns a SAML response with Status Success, and redirects to https://inv.example.com/saml/acs. The ACS endpoint returns a 302 redirect back to https://inv.example.com/login and the user sees the error "There was a problem while trying to log you in, please try again."
What I have confirmed
The SAML response looks clean:
Status: Success
NameID value matches the Snipe-IT username exactly
Audience matches the Entity ID exactly
No duplicate Role attributes
No signature block
firstName, lastName, email attributes all present
Destination URL is correct
The user exists in Snipe-IT with the exact same username as the NameID sent by Keycloak. The user has admin permissions in Snipe-IT.
Server times are in sync between both containers. APP_DEBUG is set to true but nothing appears in laravel.log after a failed SAML login attempt.
What I have tried
Removing the role_list mapper to eliminate duplicate Role attributes
Setting Client Signature Required to Off in Keycloak
Adding security settings to disable signing requirements in Snipe-IT custom settings
Running config:clear and cache:clear after every change
Rebuilding config cache with config:cache
Testing in incognito browser with SAML tracer extension confirming the response looks correct
Question
Is there something specific about how Snipe-IT processes the SAML ACS response behind a reverse proxy that would cause a silent failure with no log output? Any guidance on what to check next would be greatly appreciated.