If you are serving keycloak from a proxy, make sure to start with --proxy-header xforwarded. In my case I had this issue because I used HAProxy to manage the SSL certificates. Keycloak appeared to work for username/password and google sign in but didn't work for saml. Adding the proxy-header fixed it for me.