libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Amendment for common Tomcat/SAML pitfall

Browse source 
As already proposed in https://lists.jboss.org/pipermail/keycloak-user/2018-May/013984.html
This commit is contained in:
Dirk Heuvels 2019-10-15 22:17:35 +02:00 committed by Stian Thorgersen
parent 9a44c8fa36
commit 0d3af71d67
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
securing_apps/topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc
View file

@ -51,3 +51,5 @@ Here's an example:
</security-role> </security-role>
</web-app> </web-app>
---- ----
If the `keycloak-saml.xml` does not explicitly set `assertionConsumerServiceUrl`, the SAML adapter will implicitly listen for SAML assertions at the location `/my-context-path/saml`. This has to match `Master SAML Processing URL` in the IDP realm/client settings, e.g. `http://sp.domain.com/my-context-path/saml`. If not, Tomcat will probably redirect infinitely to the IDP login service, as it does not receive the SAML assertion after the user logged in.