Hello there, I am using the java servlet filter adapter (http://www.keycloak.org/docs/ latest/securing_apps/index.html#java-servlet-filter-adapter) in apache-tomcat 9 and it works like a charm, thanks! The filter class is org.keycloak.adapters.saml.servlet.SamlFilter I would like to fully externalize the keycloak configuration from the deployed applications. I know that I can set the keycloack config file via the filter config param keycloak.config.file, to some external path like /usr/local/my-keycloak-saml.xml, brilliant! In the other hand the SamlFilter(https://github. com/keycloak/keycloak/blob/master/adapters/saml/servlet- filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java) looks for the keystores inside of the application context: usually something like /WEB-INF/my-keystore.jks. This is due the implementation of the ResourceLoader.getResourceAsStream(String resource) function. It looks like something like this: ResourceLoader loader = new ResourceLoader() { @Override public InputStream getResourceAsStream(String resource) { return filterConfig.getServletContext().getResourceAsStream(resource); } }; In ServletContext.getResourceAsStream(java.lang.String path) the path param must begin with a "/" and it is interpreted as relative to the current context root. I would be in favor of having the possibility of externalize this resource, perhaps having somethig like: //First try the original one InputStream is = filterConfig.getServletContext(). getResourceAsStream(resource); if(is=null) { // Try with an external one try { is = new FileInputStream(resource); } catch (FileNotFoundException e) { throw new RuntimeException(e); } } Any thoughts on this? Thanks in advance, Luis -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett