From 0d3af71d6796df2f2dc55fcf02551987f09418b8 Mon Sep 17 00:00:00 2001
From: Dirk Heuvels <coding@heuvels.de>
Date: Tue, 15 Oct 2019 22:17:35 +0200
Subject: [PATCH] Amendment for common Tomcat/SAML pitfall

As already proposed in https://lists.jboss.org/pipermail/keycloak-user/2018-May/013984.html
---
 .../saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/securing_apps/topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc b/securing_apps/topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc
index c397b39d21..820cce85e4 100644
--- a/securing_apps/topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc
+++ b/securing_apps/topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc
@@ -51,3 +51,5 @@ Here's an example:
     </security-role>
 </web-app>
 ----        
+
+If the `keycloak-saml.xml` does not explicitly set `assertionConsumerServiceUrl`, the SAML adapter will implicitly listen for SAML assertions at the location `/my-context-path/saml`. This has to match `Master SAML Processing URL` in the IDP realm/client settings, e.g. `http://sp.domain.com/my-context-path/saml`. If not, Tomcat will probably redirect infinitely to the IDP login service, as it does not receive the SAML assertion after the user logged in.