Context

We are migrating an existing SAML Service Provider (SP) application to Keycloak,
where Keycloak will act as an SP and broker authentication to multiple external
customer Identity Providers (IdPs).

To ensure zero impact on our customers, we have kept the following identical between
the old SP and Keycloak:

• EntityID
• SP signing certificate
• AssertionConsumerServiceURL (ACS URL)

The ACS URL format we need to preserve is:

https://mycompany.com/myapp/Main/ad/samlAuth/SSOActions

We use Nginx as a reverse proxy that routes the SAML POST response from the
customer IdP to Keycloak's internal broker

https://mycompany.com/.../SSOActions
    → https://keycloak-internal/realms/pqr/broker/<idp-alias>/endpoint

Problem

When Keycloak generates the SP-initiated AuthnRequest, it sets the
AssertionConsumerServiceURL to its own internal broker endpoint:

https://keycloak-host/realms/broker/<idp-alias>/endpoint

However, we need Keycloak to set it to our custom external ACS URL:

https://mycompany.com/myapp/Main/ad/samlAuth/SSOActions

This is critical because:

1. The customer IdP validates the ACS URL in the AuthnRequest against its registered SP metadata
2. We cannot ask customers to update their IdP configuration

Question

Is there a supported, configuration-only way in Keycloak to override the
AssertionConsumerServiceURL in the outgoing SAML AuthnRequest when using
Keycloak as an Identity Broker (SP)?