Re: [keycloak-dev] Issue with BrowserHandler using the saml2 adapter in wildfly 10

What URL have you set for the client saml endpoint in configuration at the identity provider site? The url needs to end in "/saml" without quotes On Fri, Oct 27, 2017 at 8:47 AM, Daniel Schmidt <list-keycloak(a)ad-schmidt.de <mailto:list-keycloak@ad-schmidt.de>> wrote: Hi everybody, I just started to use the SAML2-authentication-adapter of Keycloak in Wildfly 10. I use it according to this documentation: http://www.keycloak.org/docs/3.0/securing_apps/topics/saml/java/jboss-ada... <http://www.keycloak.org/docs/3.0/securing_apps/topics/saml/java/jboss-ada... As it did not work, I debugged into the adapter code and narrowed the problem down to org.keycloak.adapters.saml.undertow.UndertowSamlAuthenticator.createBrowserHandler(HttpFacade, SamlDeployment, SamlSessionStore) where a org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler is instantiated. This BrowserHandler always passes null as samlRequest, samlResponse and relayState. When I create a org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler instead, the code works as expected. Is this a bug in the BrowserHandler or am I missing some important configuration option? -- Another question on this topic: The configuration with <secure-deployment >...</secure-deployment> bypasses any existing <login-module> as far as I can see. Is this the case? Is there any possibility to configure a custom login-module that could authenticate a user before using the Keycloak authentication mechanism? I would like to use the Keycloak authentication as a fallback only. Thanks in advance, Daniel Schmidt _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev> -- --Hynek