[keycloak-user] Tomcat SAML Client adapter and infinite redirect
Leonid Rozenblyum
lrozenblyum at gmail.com
Mon May 21 02:29:35 EDT 2018
Thank you very much!
It would be a great idea to enrich the documentation on KeyCloak SAML
Tomcat adapter with the info about the mandatory Master SAML Processing URL
It would be a life saver!
On Fri, May 18, 2018 at 5:34 PM, Qiang He <Qiang.He at lombardrisk.com> wrote:
> No, you don’t need set up any listener. The adapter will automatically
> handle the url.
>
>
>
> Only when you don’t want to install the adapter in Tomcat, and want to use
> the pure servlet in your SP application, you need to set up listener for
> the /saml url.
>
>
>
>
>
> *From:* Leonid Rozenblyum [mailto:lrozenblyum at gmail.com]
> *Sent:* 18 May 2018 14:53
> *To:* Qiang He <Qiang.He at lombardrisk.com>; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Tomcat SAML Client adapter and infinite
> redirect
>
>
>
> Thank you very much Qiang He!
>
>
>
> My Master SAML Processing URL was NOT set at all in keycloak (I wasn't
> aware it should be set... Before trying keycloak SAML tomcat adapter I've
> tried spring security saml extension and it didn't require this URL...)
>
>
>
> I've set it up now to <host:port>/<mywebapp>/saml
>
>
>
> It looks like the infinite redirect issue has been solved!
>
>
>
> Do I need to set up something else e.g. some listener on this /saml url or
> tomcat adapter automatically sets up something listening to this url?
>
>
>
>
>
>
>
> On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com>
> wrote:
>
> What's your Master SAML Processing URL in the Clients settings in the
> keycloak sever? Make sure it ends with "/saml",
>
> Or in your client adapter setting, set the ACS URL ending with /rest, as
> per the document mentioned (copied below):
>
> assertionConsumerServiceUrl
> URL of the assertion consumer service (ACS) where the IDP login service
> should send responses to. This setting is OPTIONAL. By default it is unset,
> relying on the configuration in the IdP. When set, it must end in /saml,
> e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this
> property is sent in AssertionConsumerServiceURL attribute of SAML
> AuthnRequest message. This property is typically accompanied by the
> responseBinding attribute.
>
>
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] On Behalf Of Leonid Rozenblyum
> Sent: 17 May 2018 21:06
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
>
> Hello everybody.
> I'm trying to set up Tomcat <-> Keycloak SAML integration.
> I've got stuck with the infinite redirect issue: after successful
> authentication I'm returned back to Tomcat Web app (to its protected
> resource) and then redirected back to keycloak with message YOU ARE
> ALREADY LOGGED IN.
>
> Keycloak 3.4.3
> Tomcat 8
>
> The problem is practically the same as described:
> https://stackoverflow.com/questions/43452853/unable-to-
> redirect-to-my-tomcat-application-after-keycloak-login
>
> The problem is reproduced when I try to load http://localhost:8080/lr/
> protected
> (the web application is attached).
>
> Thanks for every advice!
>
>
>
More information about the keycloak-user
mailing list