The ClientId in Keycloak should match the value of Issuer tag found in the decoded SAML Request.
Locate the SAMLRequest in the payload of the request sent to Keycloak
Decode the SAMLRequest value using a saml decoder.
The decoded SAMLRequest should be as below. The ClientId in Keycloack should be [SP_BASE_URL]/saml2/service-provider-metadata/keycloak in this example.
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="[SP_BASE_URL]/login/saml2/sso/keycloak" Destination="[IDP_BASE_URL]/realms/spring-boot-keycloak/protocol/saml" ID="???????????" IssueInstant="????????????" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">[SP_BASE_URL]/saml2/service-provider-metadata/keycloak</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#ARQdb29597-f24d-432d-bb7a-d9894e50ca4d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>????</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>??????</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>??????????</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml2p:AuthnRequest>