[keycloak-user] For tomcat SAML adapter, is /saml required in URL?

Bill Burke bburke at redhat.com
Mon Jun 12 18:47:16 EDT 2017


I'm pretty sure every adapter requires this.  This is because of the 
SAML POST binding.  Adapter has to eat the input stream of the request 
just to determine if it is a SAML request.  There's no nice way of 
putting that data back so that an application can consume it instead.


On 6/12/17 3:52 PM, ken edward wrote:
> Hello,
>
> I am implementing the tomcat SAML adapter with the IdP being ADFS.
>
> QUESTION:
> 1.) I see the below reference in the doc that seems to say the /saml
> needs to the appended to the URL of the SP? or is this only for
> servlet adapter and NOT tomcat adapter that my have servlets?
>
> "For each servlet-based adapter, the endpoint you register for the
> assert consumer service URL and and single logout service must be the
> base URL of your servlet application with /saml appended to it, that
> is, https://example.com/contextPath/saml."
>
> as in the below ???
>
>
>      <SP entityID="http://localhost:8081/sales-post-sig/saml"
>          sslPolicy="EXTERNAL"
>          nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>          logoutPage="/saml/logout.jsp"
>          forceAuthentication="false"
>          isPassive="false"
>          turnOffChangeSessionIdOnLogin="false">
>          <Keys>
>              <Key signing="true" >
>                  <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
>                      <PrivateKey
> alias="http://localhost:8080/sales-post-sig/" password="test123"/>
>                      <Certificate alias="http://localhost:8080/sales-post-sig/"/>
>                  </KeyStore>
>              </Key>
>          </Keys>
>
> Ken
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list