[keycloak-user] IdP-initiated saml request to saml SP which uses keycloak saml tomcat 8 adapter without configure tomcat realm

[Zou, Jay (HQP)]

Hi keycloak experts,

I am using keycloak saml tomcat 8 adapter. My question is that user is authenticated by an external saml IdP (Idp-Initiated request) through the <login-config> <auth-method>KEYCLOAK-SAML</auth-method> with all necessary configuration so I do NOT need to authenticate that user again through the tomcat realm. But the <security-constraint> defined in the web.xml of tomcat needs match the user's role to the role defined by the <auth-constraint>. Normally, the login-config will send user to the saml IdP to authenticate which will return a saml assertion that will include either an username or federation Id if the saml Idp authentication is successful. Then this username or federation Id is matched with the role defined in the <auth-constraint> by the tomcat realm. My question is that the user is already authenticated by the saml IdP so no need to match the username or federation Id to the role defined in the <auth-constraint> again in Tomcat realm. Could I do it without define a realm in tomcat? I think this is a quite common question that might already have an answer. :)

Thanks,
Jay