Once #24112 is done, we can update SAML adapter to be able to handle the "authentication expired" error, which would be sent to it from the Keycloak server, so the SAML client is able to retry last login request and send it to Keycloak server (which should typically automatically login user due the SSO).