Is it correct to assume that the non-local user you have set up has access to the “Main” portal?
This OKTA config guide may also provide some clues - Question - SAML Configuration for Okta
And maybe this Azure/Entra ID setup guide - Question - SAML Configuration for Azure AD
Of course, my ability to speak SAML ends where those guides do, but I’ve gotten it running on both Okta and Azure/EntraID with those. Haven’t tried keycloak yet…
**Ninja edit - until a few years ago I was running eramba behind a NGINX proxy until it quit working behind a NGINX proxy…