[keycloak-user] Tomcat SAML Client adapter and infinite redirect

Qiang He Qiang.He at lombardrisk.com
Fri May 18 10:34:50 EDT 2018


No, you don’t need set up any listener. The adapter will automatically handle the url.

Only when you don’t want to install the adapter in Tomcat, and want to use the pure servlet in your SP application, you need to set up listener for the /saml url.


From: Leonid Rozenblyum [mailto:lrozenblyum at gmail.com]
Sent: 18 May 2018 14:53
To: Qiang He <Qiang.He at lombardrisk.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Tomcat SAML Client adapter and infinite redirect

Thank you very much Qiang He!

My Master SAML Processing URL was NOT set at all in keycloak (I wasn't aware it should be set... Before trying keycloak SAML tomcat adapter I've tried spring security saml extension and it didn't require this URL...)

I've set it up now to <host:port>/<mywebapp>/saml

It looks like the infinite redirect issue has been solved!

Do I need to set up something else e.g. some listener on this /saml url or tomcat adapter automatically sets up something listening to this url?



On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com<mailto:Qiang.He at lombardrisk.com>> wrote:
What's your Master SAML Processing URL in the Clients settings in the keycloak sever? Make sure it ends with "/saml",

Or in your client adapter setting, set the ACS URL ending with /rest, as per the document mentioned (copied below):

assertionConsumerServiceUrl
URL of the assertion consumer service (ACS) where the IDP login service should send responses to. This setting is OPTIONAL. By default it is unset, relying on the configuration in the IdP. When set, it must end in /saml, e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this property is sent in AssertionConsumerServiceURL attribute of SAML AuthnRequest message. This property is typically accompanied by the responseBinding attribute.



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Leonid Rozenblyum
Sent: 17 May 2018 21:06
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect

Hello everybody.
I'm trying to set up Tomcat <-> Keycloak SAML integration.
I've got stuck with the infinite redirect issue: after successful authentication I'm returned back to Tomcat Web app (to its protected
resource) and then redirected back to keycloak with message YOU ARE ALREADY LOGGED IN.

Keycloak 3.4.3
Tomcat 8

The problem is practically the same as described:
https://stackoverflow.com/questions/43452853/unable-to-redirect-to-my-tomcat-application-after-keycloak-login

The problem is reproduced when I try to load http://localhost:8080/lr/protected
(the web application is attached).

Thanks for every advice!



More information about the keycloak-user mailing list