What happens when you click
1
Browser navigates to Keycloak's IdP-initiated SSO endpoint
2
Keycloak prompts for login (if no session), then generates a SAML assertion with SAC claims — no AuthnRequest involved
3
Keycloak returns an HTML auto-submit form that POSTs the assertion to Okta's ACS URL
4
Okta validates the assertion, JIT provisions the user, creates an Okta session
5
Okta redirects to the Forge Marketplace (configured as default app). Marketplace runs its standard OIDC flow — Okta session exists, so no login prompt
IdP-Initiated URL: https://keycloak.forgeglobal.dev/realms/keycloak/protocol/saml/clients/sac-poc