9:52 p.m.
Hello,
I am implementing the tomcat SAML adapter with the IdP being ADFS.
QUESTION:
1.) I see the below reference in the doc that seems to say the /saml
needs to the appended to the URL of the SP? or is this only for
servlet adapter and NOT tomcat adapter that my have servlets?
"For each servlet-based adapter, the endpoint you register for the
assert consumer service URL and and single logout service must be the
base URL of your servlet application with /saml appended to it, that
is, https://example.com/contextPath/saml."
as in the below ???
<SP entityID="http://localhost:8081/sales-post-sig/saml"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/saml/logout.jsp"
forceAuthentication="false"
isPassive="false"
turnOffChangeSessionIdOnLogin="false">
<Keys>
<Key signing="true" >
<KeyStore resource="/WEB-INF/keystore.jks"
password="store123">
<PrivateKey
alias="http://localhost:8080/sales-post-sig/" password="test123"/>
<Certificate
alias="http://localhost:8080/sales-post-sig/"/>
</KeyStore>
</Key>
</Keys>
Ken
12:47 a.m.
I'm pretty sure every adapter requires this. This is because of the
SAML POST binding. Adapter has to eat the input stream of the request
just to determine if it is a SAML request. There's no nice way of
putting that data back so that an application can consume it instead.
On 6/12/17 3:52 PM, ken edward wrote:
Hello,
I am implementing the tomcat SAML adapter with the IdP being ADFS.
QUESTION:
1.) I see the below reference in the doc that seems to say the /saml
needs to the appended to the URL of the SP? or is this only for
servlet adapter and NOT tomcat adapter that my have servlets?
"For each servlet-based adapter, the endpoint you register for the
assert consumer service URL and and single logout service must be the
base URL of your servlet application with /saml appended to it, that
is, https://example.com/contextPath/saml."
as in the below ???
<SP entityID="http://localhost:8081/sales-post-sig/saml"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/saml/logout.jsp"
forceAuthentication="false"
isPassive="false"
turnOffChangeSessionIdOnLogin="false">
<Keys>
<Key signing="true" >
<KeyStore resource="/WEB-INF/keystore.jks"
password="store123">
<PrivateKey
alias="http://localhost:8080/sales-post-sig/"
password="test123"/>
<Certificate
alias="http://localhost:8080/sales-post-sig/"/>
</KeyStore>
</Key>
</Keys>
Ken
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:17 p.m.
Thank you Bill,
Does the URL have end with /saml or just include "/saml within the URL
(https://example.com/myapp/saml/subdir or just /myapp/saml ??)
Ken
On Mon, Jun 12, 2017 at 6:47 PM, Bill Burke <bburke(a)redhat.com> wrote:
I'm pretty sure every adapter requires this. This is because of
the
SAML POST binding. Adapter has to eat the input stream of the request
just to determine if it is a SAML request. There's no nice way of
putting that data back so that an application can consume it instead.
On 6/12/17 3:52 PM, ken edward wrote:
> Hello,
>
> I am implementing the tomcat SAML adapter with the IdP being ADFS.
>
> QUESTION:
> 1.) I see the below reference in the doc that seems to say the /saml
> needs to the appended to the URL of the SP? or is this only for
> servlet adapter and NOT tomcat adapter that my have servlets?
>
> "For each servlet-based adapter, the endpoint you register for the
> assert consumer service URL and and single logout service must be the
> base URL of your servlet application with /saml appended to it, that
> is, https://example.com/contextPath/saml."
>
> as in the below ???
>
>
> <SP entityID="http://localhost:8081/sales-post-sig/saml"
> sslPolicy="EXTERNAL"
>
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> logoutPage="/saml/logout.jsp"
> forceAuthentication="false"
> isPassive="false"
> turnOffChangeSessionIdOnLogin="false">
> <Keys>
> <Key signing="true" >
> <KeyStore resource="/WEB-INF/keystore.jks"
password="store123">
> <PrivateKey
> alias="http://localhost:8080/sales-post-sig/"
password="test123"/>
> <Certificate
alias="http://localhost:8080/sales-post-sig/"/>
> </KeyStore>
> </Key>
> </Keys>
>
> Ken
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2782
days inactive
2783
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
ken edward