Amendment for common Tomcat/SAML pitfall
As already proposed in https://lists.jboss.org/pipermail/keycloak-user/2018-May/013984.html
This commit is contained in:
parent
9a44c8fa36
commit
0d3af71d67
1 changed files with 2 additions and 0 deletions
|
@ -51,3 +51,5 @@ Here's an example:
|
|||
</security-role>
|
||||
</web-app>
|
||||
----
|
||||
|
||||
If the `keycloak-saml.xml` does not explicitly set `assertionConsumerServiceUrl`, the SAML adapter will implicitly listen for SAML assertions at the location `/my-context-path/saml`. This has to match `Master SAML Processing URL` in the IDP realm/client settings, e.g. `http://sp.domain.com/my-context-path/saml`. If not, Tomcat will probably redirect infinitely to the IDP login service, as it does not receive the SAML assertion after the user logged in.
|
||||
|
|
Loading…
Reference in a new issue