[keycloak-user] Tomcat SAML Client adapter and infinite redirect

Hynek Mlnarik hmlnarik at redhat.com
Mon May 21 03:46:02 EDT 2018


Could you please file a KEYCLOAK JIRA for improving the documentation here?
There's a link ("Report an issue") in the relevant section which you can
use for that.

On Mon, May 21, 2018 at 8:29 AM, Leonid Rozenblyum <lrozenblyum at gmail.com>
wrote:

> Thank you very much!
>
> It would be a great idea to enrich the documentation on KeyCloak SAML
> Tomcat adapter with the info about the mandatory  Master SAML Processing
> URL
> It would be a life saver!
>
> On Fri, May 18, 2018 at 5:34 PM, Qiang He <Qiang.He at lombardrisk.com>
> wrote:
>
> > No, you don’t need set up any listener. The adapter will automatically
> > handle the url.
> >
> >
> >
> > Only when you don’t want to install the adapter in Tomcat, and want to
> use
> > the pure servlet in your SP application, you need to set up listener for
> > the /saml url.
> >
> >
> >
> >
> >
> > *From:* Leonid Rozenblyum [mailto:lrozenblyum at gmail.com]
> > *Sent:* 18 May 2018 14:53
> > *To:* Qiang He <Qiang.He at lombardrisk.com>; keycloak-user at lists.jboss.org
> > *Subject:* Re: [keycloak-user] Tomcat SAML Client adapter and infinite
> > redirect
> >
> >
> >
> > Thank you very much Qiang He!
> >
> >
> >
> > My Master SAML Processing URL was NOT set at all in keycloak (I wasn't
> > aware it should be set... Before trying keycloak SAML tomcat adapter I've
> > tried spring security saml extension and it didn't require this URL...)
> >
> >
> >
> > I've set it up now to <host:port>/<mywebapp>/saml
> >
> >
> >
> > It looks like the infinite redirect issue has been solved!
> >
> >
> >
> > Do I need to set up something else e.g. some listener on this /saml url
> or
> > tomcat adapter automatically sets up something listening to this url?
> >
> >
> >
> >
> >
> >
> >
> > On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com>
> > wrote:
> >
> > What's your Master SAML Processing URL in the Clients settings in the
> > keycloak sever? Make sure it ends with "/saml",
> >
> > Or in your client adapter setting, set the ACS URL ending with /rest, as
> > per the document mentioned (copied below):
> >
> > assertionConsumerServiceUrl
> > URL of the assertion consumer service (ACS) where the IDP login service
> > should send responses to. This setting is OPTIONAL. By default it is
> unset,
> > relying on the configuration in the IdP. When set, it must end in /saml,
> > e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this
> > property is sent in AssertionConsumerServiceURL attribute of SAML
> > AuthnRequest message. This property is typically accompanied by the
> > responseBinding attribute.
> >
> >
> >
> >
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces@
> > lists.jboss.org] On Behalf Of Leonid Rozenblyum
> > Sent: 17 May 2018 21:06
> > To: keycloak-user at lists.jboss.org
> > Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
> >
> > Hello everybody.
> > I'm trying to set up Tomcat <-> Keycloak SAML integration.
> > I've got stuck with the infinite redirect issue: after successful
> > authentication I'm returned back to Tomcat Web app (to its protected
> > resource) and then redirected back to keycloak with message YOU ARE
> > ALREADY LOGGED IN.
> >
> > Keycloak 3.4.3
> > Tomcat 8
> >
> > The problem is practically the same as described:
> > https://stackoverflow.com/questions/43452853/unable-to-
> > redirect-to-my-tomcat-application-after-keycloak-login
> >
> > The problem is reproduced when I try to load http://localhost:8080/lr/
> > protected
> > (the web application is attached).
> >
> > Thanks for every advice!
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek


More information about the keycloak-user mailing list