What's your Master SAML Processing URL in the Clients settings in the keycloak sever?
Make sure it ends with "/saml",
Or in your client adapter setting, set the ACS URL ending with /rest, as per the document
mentioned (copied below):
assertionConsumerServiceUrl
URL of the assertion consumer service (ACS) where the IDP login service should send
responses to. This setting is OPTIONAL. By default it is unset, relying on the
configuration in the IdP. When set, it must end in /saml, e.g.
http://sp.domain.com/my/endpoint/for/saml. The value of this property is sent in
AssertionConsumerServiceURL attribute of SAML AuthnRequest message. This property is
typically accompanied by the responseBinding attribute.
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Leonid Rozenblyum
Sent: 17 May 2018 21:06
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
Hello everybody.
I'm trying to set up Tomcat <-> Keycloak SAML integration.
I've got stuck with the infinite redirect issue: after successful authentication
I'm returned back to Tomcat Web app (to its protected
resource) and then redirected back to keycloak with message YOU ARE ALREADY LOGGED IN.
Keycloak 3.4.3
Tomcat 8
The problem is practically the same as described:
https://stackoverflow.com/questions/43452853/unable-to-redirect-to-my-tom...
The problem is reproduced when I try to load
http://localhost:8080/lr/protected
(the web application is attached).
Thanks for every advice!