[keycloak-dev] Issue with BrowserHandler using the saml2 adapter in wildfly 10

Daniel Schmidt list-keycloak at ad-schmidt.de
Wed Nov 8 10:30:23 EST 2017


Hi Hynek,

if the url ends in "/saml" authentication works fine. Thanks!

Could you also provide some insight to my second question, whether it is 
possible to combine Keycloak-SAML-Authentication with other 
<login-module>s for one <security-domain>?


Am 27.10.2017 um 09:34 schrieb Hynek Mlnarik:
> What URL have you set for the client saml endpoint in configuration at 
> the identity provider site? The url needs to end in "/saml" without quotes
>
> On Fri, Oct 27, 2017 at 8:47 AM, Daniel Schmidt 
> <list-keycloak at ad-schmidt.de <mailto:list-keycloak at ad-schmidt.de>> wrote:
>
>     Hi everybody,
>
>     I just started to use the SAML2-authentication-adapter of Keycloak in
>     Wildfly 10. I use it according to this documentation:
>     http://www.keycloak.org/docs/3.0/securing_apps/topics/saml/java/jboss-adapter/securing_wars.html
>     <http://www.keycloak.org/docs/3.0/securing_apps/topics/saml/java/jboss-adapter/securing_wars.html>
>
>     As it did not work, I debugged into the adapter code and narrowed the
>     problem down to
>     org.keycloak.adapters.saml.undertow.UndertowSamlAuthenticator.createBrowserHandler(HttpFacade,
>     SamlDeployment, SamlSessionStore) where a
>     org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler is
>     instantiated.
>
>     This BrowserHandler always passes null as samlRequest,
>     samlResponse and
>     relayState. When I create a
>     org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler
>     instead, the code works as expected.
>
>     Is this a bug in the BrowserHandler or am I missing some important
>     configuration option?
>
>     --
>
>     Another question on this topic:
>     The configuration with <secure-deployment >...</secure-deployment>
>     bypasses any existing <login-module> as far as I can see. Is this
>     the case?
>
>     Is there any possibility to configure a custom login-module that could
>     authenticate a user before using the Keycloak authentication
>     mechanism?
>     I would like to use the Keycloak authentication as a fallback only.
>
>
>     Thanks in advance,
>
>     Daniel Schmidt
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
>
>
> -- 
>
> --Hynek



More information about the keycloak-dev mailing list