FYI, heads up: A major change to our Keycloak saml client adapter is coming (PR buildling right now). Basically you'll need to register a specific endpoint with your IDPs. Before it was really any secure URL. You must now register /saml. i.e. https://example.com/<context-root>/saml The reason for this is that SAML POST binding would eat the HttpRequest input stream for any secured URL. This can be bad if you are uploading to a secure URL :) -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com