Hello,
I have got a Problem with Keycloak 2.5.0 Final on Wildfly with an war
deployed on a Tomcat 7 and registered
org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve and generated
keycloak-saml.xml from AARealm ( just a name)
After navigating to the Ressource , I got a correct redirect with
SAML-AuthnRequest to Wildfly with Keycloak.
I can login with a user successful, a correct SAML-Response is created, but
then I got a *loop *on requests
on the same ressource on Wildfly (!),
so there is no outcome till I close the window again.
What's wrong?
- Are the Redirects wrong?
- Why are the cookies expiring again? (see below)
Here are the details:
- AA.war is deployed on tomcat with port 8280 , inside there is just an
jsp-Page
- Keycloak runs on 8080
- A RealmAA is created with Client registration and SAML Protocol on
Keycloak
- Valid Redirect URIs is
http://localhost:8280/AA/*
- Base URL is
http://localhost:8280/AA
- no other URLs are registered
- loop on requests go on
http://localhost:8080/auth/realms/AARealm/login-actions/authenticate?code=
<changing_every_time> HTTP/1.1
- Output on Wildfly is (again and again, the loop!)
2017-01-13 20:31:23,645 WARN [org.keycloak.events] (default task-45)
type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null,
ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true
2017-01-13 20:31:23,645 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-45) AUTHENTICATE
2017-01-13 20:31:23,645 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-45) AUTHENTICATE ONLY
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) processFlow
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: auth-cookie requirement: ALTERNATIVE
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) authenticator: auth-cookie
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) invoke authenticator.authenticate
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) authenticator SUCCESS: auth-cookie
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: auth-spnego requirement: DISABLED
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) execution is processed
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: identity-provider-redirector
requirement: ALTERNATIVE
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) Skip alternative execution
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: null requirement: ALTERNATIVE
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) Skip alternative execution
2017-01-13 20:31:23,647 DEBUG [org.keycloak.protocol.oidc.TokenManager]
(default task-45) Using full scope for client
2017-01-13 20:31:23,647 DEBUG [org.keycloak.events] (default task-45)
type=LOGIN, realmId=AARealm, clientId=AA,
userId=1b24603d-c9e8-4317-995a-b42b0f91bae1,
ipAddress=127.0.0.1, auth_method=saml, consent=no_consent_required,
code_id=7ed8cc51-6c7e-4ffc-8d2a-261b9f03559d, username=user
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Create login cookie - name: KEYCLOAK_IDENTITY, path:
/auth/realms/AARealm, max-age: -1
2017-01-13 20:31:23,648 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Expiring remember me cookie
2017-01-13 20:31:23,648 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Expiring cookie: KEYCLOAK_REMEMBER_ME path:
/auth/realms/AARealm
2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-45) JtaTransactionWrapper commit
2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-45) JtaTransactionWrapper end
2017-01-13 20:31:23,815 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-46) new JtaTransactionWrapper
2017-01-13 20:31:23,816 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-46) was existing? false
2017-01-13 20:31:23,818 WARN [org.keycloak.events] (default task-46)
type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null,
ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true
2017-01-13 20:31:23,819 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-46) AUTHENTICATE
2017-01-13 20:31:23,819 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-46) AUTHENTICATE ONLY
If I register
http://localhost:8280/AA/saml as "Master SAML Processing URL"
on Keycloak, then I got a 403 Forbidden.
Thanks in advance
Metehan Selvi