saml adapter endpoint changes

adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java

@@ -38,12 +38,16 @@ public abstract class SamlAuthenticator {
 
     protected abstract void completeAuthentication(SamlSession samlSession);
 
-    private SamlAuthenticationHandler createAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+    protected SamlAuthenticationHandler createAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
         if (EcpAuthenticationHandler.canHandle(facade)) {
             return EcpAuthenticationHandler.create(facade, deployment, sessionStore);
         }
 
         // defaults to the web browser sso profile
+        return createBrowserHandler(facade, deployment, sessionStore);
+    }
+
+    protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
         return WebBrowserSsoAuthenticationHandler.create(facade, deployment, sessionStore);
     }
 }

adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlUtil.java

@@ -2,6 +2,7 @@ package org.keycloak.adapters.saml;
 
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.saml.BaseSAML2BindingBuilder;
+import org.keycloak.saml.common.constants.GeneralConstants;
 import org.keycloak.saml.common.exceptions.ConfigurationException;
 import org.keycloak.saml.common.exceptions.ProcessingException;
 import org.w3c.dom.Document;
@@ -32,4 +33,41 @@ public class SamlUtil {
         }
     }
 
+    /**
+     * Gets a url to redirect to if there is an IDP initiated login.  Looks for a redirectTo query param first, then looks
+     * in RelayState, if not in either defaults to context path.
+     *
+     * @param facade
+     * @param contextPath
+     * @param baseUri
+     * @return
+     */
+    public static String getRedirectTo(HttpFacade facade, String contextPath, String baseUri) {
+        String redirectTo = facade.getRequest().getQueryParamValue("redirectTo");
+        if (redirectTo != null && !redirectTo.isEmpty()) {
+            return buildRedirectTo(baseUri, redirectTo);
+        } else {
+            redirectTo = facade.getRequest().getFirstParam(GeneralConstants.RELAY_STATE);
+            if (redirectTo != null) {
+                int index = redirectTo.indexOf("redirectTo=");
+                if (index >= 0) {
+                    String to = redirectTo.substring(index + "redirectTo=".length());
+                    index = to.indexOf(';');
+                    if (index >=0) {
+                        to = to.substring(0, index);
+                    }
+                    return buildRedirectTo(baseUri, to);
+                }
+            }
+            if (contextPath.isEmpty()) baseUri += "/";
+            return baseUri;
+        }
+    }
+
+    private static String buildRedirectTo(String baseUri, String redirectTo) {
+        if (redirectTo.startsWith("/")) redirectTo = redirectTo.substring(1);
+        if (baseUri.endsWith("/")) baseUri = baseUri.substring(0, baseUri.length() - 1);
+        redirectTo = baseUri + "/" + redirectTo;
+        return redirectTo;
+    }
 }

adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/BrowserHandler.java

@@ -0,0 +1,24 @@
+package org.keycloak.adapters.saml.profile.webbrowsersso;
+
+import org.keycloak.adapters.saml.OnSessionCreated;
+import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlInvocationContext;
+import org.keycloak.adapters.spi.AuthOutcome;
+import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.saml.common.constants.GeneralConstants;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class BrowserHandler extends WebBrowserSsoAuthenticationHandler {
+    public BrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        super(facade, deployment, sessionStore);
+    }
+
+    @Override
+    public AuthOutcome handle(OnSessionCreated onCreateSession) {
+        return doHandle(new SamlInvocationContext(null, null, null), onCreateSession);
+    }
+}

adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/SamlEndpoint.java

@@ -0,0 +1,33 @@
+package org.keycloak.adapters.saml.profile.webbrowsersso;
+
+import org.keycloak.adapters.saml.OnSessionCreated;
+import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlInvocationContext;
+import org.keycloak.adapters.spi.AuthOutcome;
+import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.saml.common.constants.GeneralConstants;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class SamlEndpoint extends WebBrowserSsoAuthenticationHandler {
+    public SamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        super(facade, deployment, sessionStore);
+    }
+
+    @Override
+    public AuthOutcome handle(OnSessionCreated onCreateSession) {
+        String samlRequest = facade.getRequest().getFirstParam(GeneralConstants.SAML_REQUEST_KEY);
+        String samlResponse = facade.getRequest().getFirstParam(GeneralConstants.SAML_RESPONSE_KEY);
+        String relayState = facade.getRequest().getFirstParam(GeneralConstants.RELAY_STATE);
+        if (samlRequest != null) {
+            return handleSamlRequest(samlRequest, relayState);
+        } else if (samlResponse != null) {
+            return handleSamlResponse(samlResponse, relayState, onCreateSession);
+        }
+        return AuthOutcome.NOT_ATTEMPTED;
+
+    }
+}

adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.java

@@ -25,7 +25,7 @@ public class WebBrowserSsoAuthenticationHandler extends AbstractSamlAuthenticati
         return new WebBrowserSsoAuthenticationHandler(facade, deployment, sessionStore);
     }
 
-    private WebBrowserSsoAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+    WebBrowserSsoAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
         super(facade, deployment, sessionStore);
     }
 

adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/AbstractSamlAuthenticator.java

@@ -13,6 +13,10 @@ import org.eclipse.jetty.server.UserIdentity;
 import org.eclipse.jetty.server.handler.ContextHandler;
 import org.eclipse.jetty.util.URIUtil;
 import org.jboss.logging.Logger;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
 import org.keycloak.adapters.spi.AdapterSessionStore;
 import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.AuthOutcome;
@@ -234,16 +238,38 @@ public abstract class AbstractSamlAuthenticator extends LoginAuthenticator {
             log.debug("*** deployment isn't configured return false");
             return Authentication.UNAUTHENTICATED;
         }
-        if (!mandatory)
+        boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
+        if (!mandatory && !isEndpoint)
             return new DeferredAuthentication(this);
         JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
 
-        SamlAuthenticator authenticator = new SamlAuthenticator(facade, deployment, tokenStore ) {
-            @Override
-            protected void completeAuthentication(SamlSession account) {
+        SamlAuthenticator authenticator = null;
+        if (isEndpoint) {
+            authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+                @Override
+                protected void completeAuthentication(SamlSession account) {
 
-            }
-        };
+                }
+
+                @Override
+                protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+                    return new SamlEndpoint(facade, deployment, sessionStore);
+                }
+            };
+
+        } else {
+            authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+                @Override
+                protected void completeAuthentication(SamlSession account) {
+
+                }
+
+                @Override
+                protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+                    return new BrowserHandler(facade, deployment, sessionStore);
+                }
+            };
+        }
         AuthOutcome outcome = authenticator.authenticate();
         if (outcome == AuthOutcome.AUTHENTICATED) {
             if (facade.isEnded()) {

adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/JettySamlSessionStore.java

@@ -3,12 +3,14 @@ package org.keycloak.adapters.saml.jetty;
 import org.eclipse.jetty.server.Request;
 import org.jboss.logging.Logger;
 import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlUtil;
 import org.keycloak.adapters.spi.AdapterSessionStore;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.spi.SessionIdMapper;
 import org.keycloak.adapters.jetty.spi.JettyUserSessionManagement;
 import org.keycloak.adapters.saml.SamlSession;
 import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.dom.saml.v2.protocol.StatusType;
 
 import javax.servlet.http.HttpSession;
@@ -151,7 +153,13 @@ public class JettySamlSessionStore implements SamlSessionStore {
 
     @Override
     public String getRedirectUri() {
-        return (String)request.getSession(true).getAttribute(SAML_REDIRECT_URI);
+        String redirect = (String)request.getSession(true).getAttribute(SAML_REDIRECT_URI);
+        if (redirect == null) {
+            String contextPath = request.getContextPath();
+            String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
+            return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+        }
+        return redirect;
     }
 
     @Override

adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/FilterSamlSessionStore.java

@@ -1,12 +1,14 @@
 package org.keycloak.adapters.saml.servlet;
 
 import org.jboss.logging.Logger;
+import org.keycloak.adapters.saml.SamlUtil;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.spi.KeycloakAccount;
 import org.keycloak.adapters.spi.SessionIdMapper;
 import org.keycloak.adapters.saml.SamlSession;
 import org.keycloak.adapters.saml.SamlSessionStore;
 import org.keycloak.adapters.servlet.FilterSessionStore;
+import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.dom.saml.v2.protocol.StatusType;
 
 import javax.servlet.http.HttpServletRequest;
@@ -145,7 +147,13 @@ public class FilterSamlSessionStore extends FilterSessionStore implements SamlSe
     public String getRedirectUri() {
         HttpSession session = request.getSession(false);
         if (session == null) return null;
-        return (String)session.getAttribute(REDIRECT_URI);
+        String redirect = (String)session.getAttribute(REDIRECT_URI);
+        if (redirect == null) {
+            String contextPath = request.getContextPath();
+            String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
+            return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+        }
+        return redirect;
     }
 
 }

adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java

@@ -23,11 +23,16 @@ import org.keycloak.adapters.saml.SamlAuthenticator;
 import org.keycloak.adapters.saml.SamlDeployment;
 import org.keycloak.adapters.saml.SamlDeploymentContext;
 import org.keycloak.adapters.saml.SamlSession;
+import org.keycloak.adapters.saml.SamlSessionStore;
 import org.keycloak.adapters.saml.config.parsers.DeploymentBuilder;
 import org.keycloak.adapters.saml.config.parsers.ResourceLoader;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
 import org.keycloak.adapters.servlet.ServletHttpFacade;
 import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.AuthOutcome;
+import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.spi.InMemorySessionIdMapper;
 import org.keycloak.adapters.spi.SessionIdMapper;
 import org.keycloak.saml.common.exceptions.ParsingException;
@@ -38,11 +43,16 @@ import org.keycloak.saml.common.exceptions.ParsingException;
  */
 public class SamlFilter implements Filter {
     protected SamlDeploymentContext deploymentContext;
-    protected SessionIdMapper idMapper = new InMemorySessionIdMapper();
+    protected SessionIdMapper idMapper;
     private final static Logger log = Logger.getLogger("" + SamlFilter.class);
 
     @Override
     public void init(final FilterConfig filterConfig) throws ServletException {
+        deploymentContext = (SamlDeploymentContext)filterConfig.getServletContext().getAttribute(SamlDeploymentContext.class.getName());
+        if (deploymentContext != null) {
+            idMapper = (SessionIdMapper)filterConfig.getServletContext().getAttribute(SessionIdMapper.class.getName());
+            return;
+        }
         String configResolverClass = filterConfig.getInitParameter("keycloak.config.resolver");
         if (configResolverClass != null) {
             try {
@@ -92,7 +102,9 @@ public class SamlFilter implements Filter {
             deploymentContext = new SamlDeploymentContext(deployment);
             log.fine("Keycloak is using a per-deployment configuration.");
         }
+        idMapper = new InMemorySessionIdMapper();
         filterConfig.getServletContext().setAttribute(SamlDeploymentContext.class.getName(), deploymentContext);
+        filterConfig.getServletContext().setAttribute(SessionIdMapper.class.getName(), idMapper);
 
     }
 
@@ -108,13 +120,34 @@ public class SamlFilter implements Filter {
             return;
         }
         FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper);
+        boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
+        SamlAuthenticator authenticator = null;
+        if (isEndpoint) {
+            authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+                @Override
+                protected void completeAuthentication(SamlSession account) {
 
-        SamlAuthenticator authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
-            @Override
-            protected void completeAuthentication(SamlSession account) {
+                }
 
-            }
-        };
+                @Override
+                protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+                    return new SamlEndpoint(facade, deployment, sessionStore);
+                }
+            };
+
+        } else {
+            authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+                @Override
+                protected void completeAuthentication(SamlSession account) {
+
+                }
+
+                @Override
+                protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+                    return new BrowserHandler(facade, deployment, sessionStore);
+                }
+            };
+        }
         AuthOutcome outcome = authenticator.authenticate();
         if (outcome == AuthOutcome.AUTHENTICATED) {
             log.fine("AUTHENTICATED");

adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.java

@@ -150,10 +150,23 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
     @Override
     public void invoke(Request request, Response response) throws IOException, ServletException {
         log.fine("*********************** SAML ************");
+        if (request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml")) {
+            CatalinaHttpFacade facade = new CatalinaHttpFacade(response, request);
+            SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
+            if (deployment != null && deployment.isConfigured()) {
+                SamlSessionStore tokenStore = getSessionStore(request, facade, deployment);
+                SamlAuthenticator authenticator = new CatalinaSamlEndpoint(facade, deployment, tokenStore);
+                executeAuthenticator(request, response, facade, deployment, authenticator);
+                return;
+            }
+
+        }
+
         try {
             super.invoke(request, response);
         } finally {
         }
+
     }
 
     protected abstract GenericPrincipalFactory createPrincipalFactory();
@@ -187,7 +200,11 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
         SamlSessionStore tokenStore = getSessionStore(request, facade, deployment);
 
 
-        CatalinaSamlAuthenticator authenticator = new CatalinaSamlAuthenticator(facade, deployment, tokenStore);
+        SamlAuthenticator authenticator = new CatalinaSamlAuthenticator(facade, deployment, tokenStore);
+        return executeAuthenticator(request, response, facade, deployment, authenticator);
+    }
+
+    protected boolean executeAuthenticator(Request request, HttpServletResponse response, CatalinaHttpFacade facade, SamlDeployment deployment, SamlAuthenticator authenticator) {
         AuthOutcome outcome = authenticator.authenticate();
         if (outcome == AuthOutcome.AUTHENTICATED) {
             log.fine("AUTHENTICATED");
@@ -209,9 +226,6 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
         AuthChallenge challenge = authenticator.getChallenge();
         if (challenge != null) {
             log.fine("challenge");
-            if (loginConfig == null) {
-                loginConfig = request.getContext().getLoginConfig();
-            }
             challenge.challenge(facade);
         }
         return false;

adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlAuthenticator.java

@@ -1,5 +1,7 @@
 package org.keycloak.adapters.saml;
 
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
 import org.keycloak.adapters.spi.HttpFacade;
 
 /**
@@ -15,4 +17,10 @@ public class CatalinaSamlAuthenticator extends SamlAuthenticator {
     protected void completeAuthentication(SamlSession account) {
         // complete
     }
+
+    @Override
+    protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        return new BrowserHandler(facade, deployment, sessionStore);
+    }
+
 }

adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlEndpoint.java

@@ -0,0 +1,28 @@
+package org.keycloak.adapters.saml;
+
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
+import org.keycloak.adapters.spi.HttpFacade;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class CatalinaSamlEndpoint extends SamlAuthenticator {
+    public CatalinaSamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        super(facade, deployment, sessionStore);
+    }
+
+    @Override
+    protected void completeAuthentication(SamlSession account) {
+        // complete
+    }
+
+    @Override
+    protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        return new SamlEndpoint(facade, deployment, sessionStore);
+    }
+
+
+}

adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java

@@ -9,9 +9,11 @@ import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.spi.SessionIdMapper;
 import org.keycloak.adapters.tomcat.CatalinaUserSessionManagement;
 import org.keycloak.adapters.tomcat.GenericPrincipalFactory;
+import org.keycloak.common.util.KeycloakUriBuilder;
 import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
 import org.keycloak.dom.saml.v2.protocol.StatusType;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
 import java.util.LinkedList;
@@ -193,7 +195,13 @@ public class CatalinaSamlSessionStore implements SamlSessionStore {
 
     @Override
     public String getRedirectUri() {
-        return (String)getSession(true).getAttribute(SAML_REDIRECT_URI);
+        String redirect = (String)getSession(true).getAttribute(SAML_REDIRECT_URI);
+        if (redirect == null) {
+            String contextPath = request.getContextPath();
+            String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
+            return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+        }
+        return redirect;
     }
 
     @Override

adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java

@@ -16,6 +16,7 @@
  */
 package org.keycloak.adapters.saml.undertow;
 
+import org.keycloak.adapters.saml.SamlAuthenticator;
 import org.keycloak.adapters.saml.SamlDeployment;
 import org.keycloak.adapters.saml.SamlDeploymentContext;
 import org.keycloak.adapters.saml.SamlSessionStore;
@@ -104,7 +105,14 @@ public abstract class AbstractSamlAuthMech implements AuthenticationMechanism {
             return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
         }
         SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
-        UndertowSamlAuthenticator authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
+        SamlAuthenticator authenticator = null;
+        if (exchange.getRequestPath().endsWith("/saml")) {
+            authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
+        } else {
+            authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
+
+        }
+
         AuthOutcome outcome = authenticator.authenticate();
         if (outcome == AuthOutcome.AUTHENTICATED) {
             registerNotifications(securityContext);

adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/SamlServletExtension.java

@@ -26,7 +26,9 @@ import io.undertow.servlet.ServletExtension;
 import io.undertow.servlet.api.AuthMethodConfig;
 import io.undertow.servlet.api.DeploymentInfo;
 import io.undertow.servlet.api.LoginConfig;
+import io.undertow.servlet.api.SecurityConstraint;
 import io.undertow.servlet.api.ServletSessionConfig;
+import io.undertow.servlet.api.WebResourceCollection;
 import org.jboss.logging.Logger;
 import org.keycloak.adapters.saml.AdapterConstants;
 import org.keycloak.adapters.saml.DefaultSamlDeployment;
@@ -184,10 +186,24 @@ public class SamlServletExtension implements ServletExtension {
         ServletSessionConfig cookieConfig = new ServletSessionConfig();
         cookieConfig.setPath(deploymentInfo.getContextPath());
         deploymentInfo.setServletSessionConfig(cookieConfig);
+        addEndpointConstraint(deploymentInfo);
+
         ChangeSessionId.turnOffChangeSessionIdOnLogin(deploymentInfo);
 
      }
 
+    /**
+     * add security constraint to /saml so that the endpoint can be called and auth mechanism pinged.
+     * @param deploymentInfo
+     */
+    protected void addEndpointConstraint(DeploymentInfo deploymentInfo) {
+        SecurityConstraint constraint = new SecurityConstraint();
+        WebResourceCollection collection = new WebResourceCollection();
+        collection.addUrlPattern("/saml");
+        constraint.addWebResourceCollection(collection);
+        deploymentInfo.addSecurityConstraint(constraint);
+    }
+
     protected ServletSamlAuthMech createAuthMech(DeploymentInfo deploymentInfo, SamlDeploymentContext deploymentContext, UndertowUserSessionManagement userSessionManagement) {
         return new ServletSamlAuthMech(deploymentContext, userSessionManagement, getErrorPage(deploymentInfo));
     }

adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java

@@ -8,19 +8,19 @@ import io.undertow.servlet.handlers.ServletRequestContext;
 import io.undertow.servlet.spec.HttpSessionImpl;
 import org.jboss.logging.Logger;
 import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlUtil;
 import org.keycloak.adapters.spi.SessionIdMapper;
 import org.keycloak.adapters.saml.SamlSession;
 import org.keycloak.adapters.saml.SamlSessionStore;
 import org.keycloak.adapters.undertow.ChangeSessionId;
 import org.keycloak.adapters.undertow.SavedRequest;
+import org.keycloak.adapters.undertow.ServletHttpFacade;
 import org.keycloak.adapters.undertow.UndertowUserSessionManagement;
 import org.keycloak.common.util.KeycloakUriBuilder;
-import org.keycloak.dom.saml.v2.protocol.StatusType;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
-import java.io.IOException;
 import java.security.Principal;
 import java.util.LinkedList;
 import java.util.List;
@@ -179,7 +179,15 @@ public class ServletSamlSessionStore implements SamlSessionStore {
     public String getRedirectUri() {
         final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
         HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
-        return (String)session.getAttribute(SAML_REDIRECT_URI);
+        String redirect = (String)session.getAttribute(SAML_REDIRECT_URI);
+        if (redirect == null) {
+            ServletHttpFacade facade = new ServletHttpFacade(exchange);
+            HttpServletRequest req = (HttpServletRequest)sc.getServletRequest();
+            String contextPath = req.getContextPath();
+            String baseUri = KeycloakUriBuilder.fromUri(req.getRequestURL().toString()).replacePath(contextPath).build().toString();
+            return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+        }
+        return redirect;
     }
 
     @Override

adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlAuthenticator.java

@@ -2,6 +2,9 @@ package org.keycloak.adapters.saml.undertow;
 
 import io.undertow.security.api.SecurityContext;
 import io.undertow.security.idm.Account;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.saml.SamlAuthenticator;
 import org.keycloak.adapters.saml.SamlDeployment;
@@ -39,4 +42,10 @@ public class UndertowSamlAuthenticator extends SamlAuthenticator {
         securityContext.authenticationComplete(undertowAccount, "KEYCLOAK-SAML", false);
 
     }
+
+    @Override
+    protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        return new BrowserHandler(facade, deployment, sessionStore);
+    }
+
 }

adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlEndpoint.java

@@ -0,0 +1,32 @@
+package org.keycloak.adapters.saml.undertow;
+
+import io.undertow.server.HttpHandler;
+import org.keycloak.adapters.saml.SamlAuthenticator;
+import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlSession;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
+import org.keycloak.adapters.spi.HttpFacade;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class UndertowSamlEndpoint extends SamlAuthenticator {
+    public UndertowSamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        super(facade, deployment, sessionStore);
+    }
+
+
+
+    @Override
+    protected void completeAuthentication(SamlSession samlSession) {
+
+    }
+
+    @Override
+    protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+        return new SamlEndpoint(facade, deployment, sessionStore);
+    }
+}

testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java

@@ -24,6 +24,7 @@ public class SamlAdapterTest {
              ClassLoader classLoader = SamlAdapterTest.class.getClassLoader();
 
             initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post",  "post.war", classLoader);
+            initializeSamlSecuredWar("/keycloak-saml/simple-post2", "/sales-post2",  "post.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig",  "post-sig.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email",  "post-sig-email.war", classLoader);
@@ -76,7 +77,7 @@ public class SamlAdapterTest {
     }
 
 
-    //@Test Doesn't work for Wildfly as the input stream is read by getParameter for SAML POST binding
+    @Test
     public void testSavedPostRequest() throws Exception {
         testStrategy.testSavedPostRequest();
     }
@@ -129,6 +130,11 @@ public class SamlAdapterTest {
         testStrategy.testPostSimpleLoginLogoutIdpInitiated();
     }
 
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
+
     @Test
     public void testAttributes() throws Exception {
         testStrategy.testAttributes();

testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java

@@ -124,7 +124,7 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
     public void testSavedPostRequest() throws Exception {
         // test login to customer-portal which does a bearer request to customer-db
         driver.navigate().to(APP_SERVER_BASE_URL + "/input-portal");
-        System.out.println("Current url: " + driver.getCurrentUrl());
+        System.err.println("*********** Current url: " + driver.getCurrentUrl());
         Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/input-portal"));
         inputPage.execute("hello");
 
@@ -160,13 +160,13 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
         Response response = client.target(APP_SERVER_BASE_URL + "/employee-sig/").request().get();
         response.close();
         SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder()
-                .destination(APP_SERVER_BASE_URL + "/employee-sig/")
+                .destination(APP_SERVER_BASE_URL + "/employee-sig/saml")
                         .issuer(AUTH_SERVER_URL + "/realms/demo")
                         .status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
         BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder()
                 .relayState(null);
         Document document = builder.buildDocument();
-        URI uri = binding.redirectBinding(document).generateURI(APP_SERVER_BASE_URL + "/employee-sig/", false);
+        URI uri = binding.redirectBinding(document).generateURI(APP_SERVER_BASE_URL + "/employee-sig/saml", false);
         response = client.target(uri).request().get();
         String errorPage = response.readEntity(String.class);
         response.close();
@@ -195,7 +195,7 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
         // first request on passive app - no login page shown, user not logged in as we are in passive mode.
         // Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in)
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
-        assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
+        assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/saml", driver.getCurrentUrl());
         System.out.println(driver.getPageSource());
         if (forbiddenIfNotauthenticated) {
             Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403"));
@@ -219,7 +219,7 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
 
         // refresh passive app page, not logged in again as we are in passive mode
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
-        assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
+        assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/saml", driver.getCurrentUrl());
         Assert.assertFalse(driver.getPageSource().contains("bburke"));
     }
 
@@ -235,13 +235,23 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
     public void testPostSimpleLoginLogoutIdpInitiated() {
         driver.navigate().to(AUTH_SERVER_URL + "/realms/demo/protocol/saml/clients/sales-post");
         loginPage.login("bburke", "password");
-        assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post/");
+        Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/sales-post"));
         System.out.println(driver.getPageSource());
         Assert.assertTrue(driver.getPageSource().contains("bburke"));
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true");
         checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/", true);
     }
 
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        driver.navigate().to(AUTH_SERVER_URL + "/realms/demo/protocol/saml/clients/sales-post2");
+        loginPage.login("bburke", "password");
+        assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post2/foo");
+        System.out.println(driver.getPageSource());
+        Assert.assertTrue(driver.getPageSource().contains("bburke"));
+        driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post2?GLO=true");
+        checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post2/", true);
+    }
+
     public void testPostSignedLoginLogout() {
         driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/");
         assertAtLoginPagePostBinding();
@@ -486,7 +496,7 @@ public class SamlAdapterTestStrategy  extends ExternalResource {
         driver.navigate().to(APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/");
         assertAtLoginPagePostBinding();
         loginPage.login("bburke", "password");
-        assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/");
+        assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/saml");
         System.out.println(driver.getPageSource());
         Assert.assertNotNull(ErrorServlet.authError);
         SamlAuthenticationError error = (SamlAuthenticationError)ErrorServlet.authError;

testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SendUsernameServlet.java

@@ -38,7 +38,7 @@ public class SendUsernameServlet extends HttpServlet {
         OutputStream stream = resp.getOutputStream();
         Principal principal = req.getUserPrincipal();
         stream.write("request-path: ".getBytes());
-        stream.write(req.getPathInfo().getBytes());
+        if (req.getPathInfo() != null) stream.write(req.getPathInfo().getBytes());
         stream.write("\n".getBytes());
         stream.write("principal=".getBytes());
         if (principal == null) {

testsuite/integration/src/test/java/org/keycloak/testsuite/samlfilter/SamlAdapterTest.java

@@ -24,6 +24,7 @@ public class SamlAdapterTest {
              ClassLoader classLoader = SamlAdapterTest.class.getClassLoader();
 
             initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post",  "post.war", classLoader);
+            initializeSamlSecuredWar("/keycloak-saml/simple-post2", "/sales-post2",  "post.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig",  "post-sig.war", classLoader);
             initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email",  "post-sig-email.war", classLoader);
@@ -72,6 +73,12 @@ public class SamlAdapterTest {
         }
     }
 
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
+
+
     @Test
     public void testMetadataPostSignedLoginLogout() throws Exception {
         testStrategy.testMetadataPostSignedLoginLogout();

testsuite/integration/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8081/sales-post2/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/integration/src/test/resources/keycloak-saml/sp-metadata.xml

@@ -7,9 +7,9 @@
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
             <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
             </NameIDFormat>
-            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/"/>
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/saml"/>
             <AssertionConsumerService
-                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/"
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/saml"
                     index="1" isDefault="true" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

testsuite/integration/src/test/resources/keycloak-saml/testsaml.json

@@ -78,13 +78,30 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post"
             }
         },
+        {
+            "name": "http://localhost:8081/sales-post2/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8081/sales-post2",
+            "redirectUris": [
+                "http://localhost:8081/sales-post2/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post2/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post2/saml",
+                "saml_idp_initiated_sso_url_name": "sales-post2",
+                "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+            }
+        },
         {
             "name": "http://localhost:8081/input-portal/",
             "enabled": true,
@@ -96,10 +113,10 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8081/input-portal/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/input-portal/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/input-portal/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/input-portal/"
+                "saml_assertion_consumer_url_post": "http://localhost:8081/input-portal/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/input-portal/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/input-portal/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/input-portal/saml"
             }
         },
         {
@@ -113,10 +130,10 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-passive/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-passive/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-passive/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-passive/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-passive/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-passive/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-passive/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-passive/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post-passive"
             }
         },
@@ -130,10 +147,10 @@
                 "http://localhost:8081/sales-post-sig/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -152,10 +169,10 @@
                 "http://localhost:8081/sales-post-sig-transient/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-transient/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-transient/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-transient/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-transient/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-transient/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-transient/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -173,10 +190,10 @@
                 "http://localhost:8081/sales-post-sig-persistent/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-persistent/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-persistent/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-persistent/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-persistent/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -197,10 +214,10 @@
             "attributes": {
                 "saml_force_name_id_format": "true",
                 "saml_name_id_format": "email",
-                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-email/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-email/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-email/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-email/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-email/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-email/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -214,7 +231,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8081/bad-realm-sales-post-sig/",
-            "adminUrl": "http://localhost:8081/bad-realm-sales-post-sig/",
+            "adminUrl": "http://localhost:8081/bad-realm-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8081/bad-realm-sales-post-sig/*"
             ],
@@ -231,7 +248,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8081/bad-client-sales-post-sig/",
-            "adminUrl": "http://localhost:8081/bad-client-sales-post-sig/",
+            "adminUrl": "http://localhost:8081/bad-client-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8081/bad-client-sales-post-sig/*"
             ],
@@ -252,10 +269,10 @@
                 "http://localhost:8081/sales-post-enc/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-enc/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-enc/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-enc/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-enc/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-enc/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-enc/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-enc/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-enc/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
@@ -274,7 +291,7 @@
             "redirectUris": [
                 "http://localhost:8081/employee-sig/*"
             ],
-            "adminUrl": "http://localhost:8081/employee-sig/",
+            "adminUrl": "http://localhost:8081/employee-sig/saml",
             "attributes": {
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
@@ -288,7 +305,7 @@
             "enabled": true,
             "protocol": "saml",
             "fullScopeAllowed": true,
-            "baseUrl": "http://localhost:8081/employee/",
+            "baseUrl": "http://localhost:8081/employee/saml",
             "redirectUris": [
                 "http://localhost:8081/employee/*"
             ],
@@ -342,7 +359,7 @@
             "redirectUris": [
                 "http://localhost:8081/employee2/*"
             ],
-            "adminUrl": "http://localhost:8081/employee2/",
+            "adminUrl": "http://localhost:8081/employee2/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -394,10 +411,10 @@
                 "http://localhost:8081/employee-sig-front/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig-front/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig-front/",
-                "saml_single_logout_service_url_post": "http://localhost:8081/employee-sig-front/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig-front/",
+                "saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig-front/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig-front/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8081/employee-sig-front/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig-front/saml",
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA1",

testsuite/jetty/jetty81/src/test/java/org/keycloak/testsuite/JettySamlTest.java

@@ -70,6 +70,8 @@ public class JettySamlTest {
         File base = new File(dir.getFile()).getParentFile();
         //list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
         list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
+        list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
+        list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
         list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
         list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
         list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@@ -103,6 +105,16 @@ public class JettySamlTest {
         } catch (Exception e) {}
     }
 
+    @Test
+    public void testSavedPostRequest() throws Exception {
+        testStrategy.testSavedPostRequest();
+    }
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
+
+
     @Test
     public void testErrorHandling() throws Exception {
         testStrategy.testErrorHandling();

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+    <Get name="securityHandler">
+        <Set name="authenticator">
+            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+                <!--
+                <Set name="adapterConfig">
+                    <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+                        <Set name="realm">tomcat</Set>
+                        <Set name="resource">customer-portal</Set>
+                        <Set name="authServerUrl">http://localhost:8081/auth</Set>
+                        <Set name="sslRequired">external</Set>
+                        <Set name="credentials">
+                            <Map>
+                                <Entry>
+                                    <Item>secret</Item>
+                                    <Item>password</Item>
+                                </Entry>
+                            </Map>
+                        </Set>
+                        <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+                    </New>
+                </Set>
+                -->
+            </New>
+        </Set>
+    </Get>
+</Configure>

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/input-portal/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/secured/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+    <Get name="securityHandler">
+        <Set name="authenticator">
+            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+                <!--
+                <Set name="adapterConfig">
+                    <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+                        <Set name="realm">tomcat</Set>
+                        <Set name="resource">customer-portal</Set>
+                        <Set name="authServerUrl">http://localhost:8081/auth</Set>
+                        <Set name="sslRequired">external</Set>
+                        <Set name="credentials">
+                            <Map>
+                                <Entry>
+                                    <Item>secret</Item>
+                                    <Item>password</Item>
+                                </Entry>
+                            </Map>
+                        </Set>
+                        <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+                    </New>
+                </Set>
+                -->
+            </New>
+        </Set>
+    </Get>
+</Configure>

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/sales-post2/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/sp-metadata.xml

@@ -7,9 +7,9 @@
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
             <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
             </NameIDFormat>
-            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
             <AssertionConsumerService
-                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
                     index="1" isDefault="true" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

testsuite/jetty/jetty81/src/test/resources/keycloak-saml/testsaml.json

@@ -78,13 +78,45 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post"
             }
         },
+        {
+            "name": "http://localhost:8082/sales-post2/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/sales-post2",
+            "redirectUris": [
+                "http://localhost:8082/sales-post2/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_idp_initiated_sso_url_name": "sales-post2",
+                "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+            }
+        },
+        {
+            "name": "http://localhost:8082/input-portal/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/input-portal/",
+            "redirectUris": [
+                "http://localhost:8082/input-portal/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+            }
+        },
         {
             "name": "http://localhost:8082/sales-post-sig/",
             "enabled": true,
@@ -95,10 +127,10 @@
                 "http://localhost:8082/sales-post-sig/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -112,15 +144,15 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-transient",
-            "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+            "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-transient/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -138,10 +170,10 @@
                 "http://localhost:8082/sales-post-sig-persistent/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -155,17 +187,17 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-email",
-            "adminUrl": "http://localhost:8082/sales-post-sig-email",
+            "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-email/*"
             ],
             "attributes": {
                 "saml_force_name_id_format": "true",
                 "saml_name_id_format": "email",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -179,7 +211,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-realm-sales-post-sig/*"
             ],
@@ -196,7 +228,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-client-sales-post-sig/*"
             ],
@@ -217,10 +249,10 @@
                 "http://localhost:8082/sales-post-enc/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
@@ -239,7 +271,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee-sig/*"
             ],
-            "adminUrl": "http://localhost:8082/employee-sig/",
+            "adminUrl": "http://localhost:8082/employee-sig/saml",
             "attributes": {
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
@@ -257,7 +289,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee/*"
             ],
-            "adminUrl": "http://localhost:8082/employee/",
+            "adminUrl": "http://localhost:8082/employee/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -307,7 +339,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee2/*"
             ],
-            "adminUrl": "http://localhost:8082/employee2/",
+            "adminUrl": "http://localhost:8082/employee2/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -359,10 +391,10 @@
                 "http://localhost:8082/employee-sig-front/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA1",

testsuite/jetty/jetty91/src/test/java/org/keycloak/testsuite/JettySamlTest.java

@@ -70,6 +70,8 @@ public class JettySamlTest {
         File base = new File(dir.getFile()).getParentFile();
         //list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
         list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
+        list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
+        list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
         list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
         list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
         list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@@ -103,6 +105,16 @@ public class JettySamlTest {
         } catch (Exception e) {}
     }
 
+    @Test
+    public void testSavedPostRequest() throws Exception {
+        testStrategy.testSavedPostRequest();
+    }
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
+
+
     @Test
     public void testErrorHandling() throws Exception {
         testStrategy.testErrorHandling();

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+    <Get name="securityHandler">
+        <Set name="authenticator">
+            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+                <!--
+                <Set name="adapterConfig">
+                    <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+                        <Set name="realm">tomcat</Set>
+                        <Set name="resource">customer-portal</Set>
+                        <Set name="authServerUrl">http://localhost:8081/auth</Set>
+                        <Set name="sslRequired">external</Set>
+                        <Set name="credentials">
+                            <Map>
+                                <Entry>
+                                    <Item>secret</Item>
+                                    <Item>password</Item>
+                                </Entry>
+                            </Map>
+                        </Set>
+                        <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+                    </New>
+                </Set>
+                -->
+            </New>
+        </Set>
+    </Get>
+</Configure>

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/input-portal/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/secured/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+    <Get name="securityHandler">
+        <Set name="authenticator">
+            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+                <!--
+                <Set name="adapterConfig">
+                    <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+                        <Set name="realm">tomcat</Set>
+                        <Set name="resource">customer-portal</Set>
+                        <Set name="authServerUrl">http://localhost:8081/auth</Set>
+                        <Set name="sslRequired">external</Set>
+                        <Set name="credentials">
+                            <Map>
+                                <Entry>
+                                    <Item>secret</Item>
+                                    <Item>password</Item>
+                                </Entry>
+                            </Map>
+                        </Set>
+                        <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+                    </New>
+                </Set>
+                -->
+            </New>
+        </Set>
+    </Get>
+</Configure>

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/sales-post2/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/sp-metadata.xml

@@ -7,9 +7,9 @@
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
             <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
             </NameIDFormat>
-            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
             <AssertionConsumerService
-                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
                     index="1" isDefault="true" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

testsuite/jetty/jetty91/src/test/resources/keycloak-saml/testsaml.json

@@ -78,13 +78,45 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post"
             }
         },
+        {
+            "name": "http://localhost:8082/sales-post2/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/sales-post2",
+            "redirectUris": [
+                "http://localhost:8082/sales-post2/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_idp_initiated_sso_url_name": "sales-post2",
+                "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+            }
+        },
+        {
+            "name": "http://localhost:8082/input-portal/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/input-portal/",
+            "redirectUris": [
+                "http://localhost:8082/input-portal/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+            }
+        },
         {
             "name": "http://localhost:8082/sales-post-sig/",
             "enabled": true,
@@ -95,10 +127,10 @@
                 "http://localhost:8082/sales-post-sig/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -112,15 +144,15 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-transient",
-            "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+            "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-transient/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -138,10 +170,10 @@
                 "http://localhost:8082/sales-post-sig-persistent/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -155,17 +187,17 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-email",
-            "adminUrl": "http://localhost:8082/sales-post-sig-email",
+            "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-email/*"
             ],
             "attributes": {
                 "saml_force_name_id_format": "true",
                 "saml_name_id_format": "email",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -179,7 +211,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-realm-sales-post-sig/*"
             ],
@@ -196,7 +228,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-client-sales-post-sig/*"
             ],
@@ -217,10 +249,10 @@
                 "http://localhost:8082/sales-post-enc/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
@@ -239,7 +271,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee-sig/*"
             ],
-            "adminUrl": "http://localhost:8082/employee-sig/",
+            "adminUrl": "http://localhost:8082/employee-sig/saml",
             "attributes": {
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
@@ -257,7 +289,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee/*"
             ],
-            "adminUrl": "http://localhost:8082/employee/",
+            "adminUrl": "http://localhost:8082/employee/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -307,7 +339,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee2/*"
             ],
-            "adminUrl": "http://localhost:8082/employee2/",
+            "adminUrl": "http://localhost:8082/employee2/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -359,10 +391,10 @@
                 "http://localhost:8082/employee-sig-front/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA1",

testsuite/jetty/jetty92/src/test/java/org/keycloak/testsuite/JettySamlTest.java

@@ -70,6 +70,8 @@ public class JettySamlTest {
         File base = new File(dir.getFile()).getParentFile();
         //list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
         list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
+        list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
+        list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
         list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
         list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
         list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@@ -103,6 +105,16 @@ public class JettySamlTest {
         } catch (Exception e) {}
     }
 
+    @Test
+    public void testSavedPostRequest() throws Exception {
+        testStrategy.testSavedPostRequest();
+    }
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
+
+
     @Test
     public void testErrorHandling() throws Exception {
         testStrategy.testErrorHandling();

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+    <Get name="securityHandler">
+        <Set name="authenticator">
+            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+                <!--
+                <Set name="adapterConfig">
+                    <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+                        <Set name="realm">tomcat</Set>
+                        <Set name="resource">customer-portal</Set>
+                        <Set name="authServerUrl">http://localhost:8081/auth</Set>
+                        <Set name="sslRequired">external</Set>
+                        <Set name="credentials">
+                            <Map>
+                                <Entry>
+                                    <Item>secret</Item>
+                                    <Item>password</Item>
+                                </Entry>
+                            </Map>
+                        </Set>
+                        <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+                    </New>
+                </Set>
+                -->
+            </New>
+        </Set>
+    </Get>
+</Configure>

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/input-portal/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/secured/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+    <Get name="securityHandler">
+        <Set name="authenticator">
+            <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+                <!--
+                <Set name="adapterConfig">
+                    <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+                        <Set name="realm">tomcat</Set>
+                        <Set name="resource">customer-portal</Set>
+                        <Set name="authServerUrl">http://localhost:8081/auth</Set>
+                        <Set name="sslRequired">external</Set>
+                        <Set name="credentials">
+                            <Map>
+                                <Entry>
+                                    <Item>secret</Item>
+                                    <Item>password</Item>
+                                </Entry>
+                            </Map>
+                        </Set>
+                        <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+                    </New>
+                </Set>
+                -->
+            </New>
+        </Set>
+    </Get>
+</Configure>

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/sales-post2/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/sp-metadata.xml

@@ -7,9 +7,9 @@
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
             <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
             </NameIDFormat>
-            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
             <AssertionConsumerService
-                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
                     index="1" isDefault="true" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

testsuite/jetty/jetty92/src/test/resources/keycloak-saml/testsaml.json

@@ -78,13 +78,45 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post"
             }
         },
+        {
+            "name": "http://localhost:8082/sales-post2/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/sales-post2",
+            "redirectUris": [
+                "http://localhost:8082/sales-post2/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_idp_initiated_sso_url_name": "sales-post2",
+                "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+            }
+        },
+        {
+            "name": "http://localhost:8082/input-portal/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/input-portal/",
+            "redirectUris": [
+                "http://localhost:8082/input-portal/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+            }
+        },
         {
             "name": "http://localhost:8082/sales-post-sig/",
             "enabled": true,
@@ -95,10 +127,10 @@
                 "http://localhost:8082/sales-post-sig/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -112,15 +144,15 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-transient",
-            "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+            "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-transient/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -138,10 +170,10 @@
                 "http://localhost:8082/sales-post-sig-persistent/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -155,17 +187,17 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-email",
-            "adminUrl": "http://localhost:8082/sales-post-sig-email",
+            "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-email/*"
             ],
             "attributes": {
                 "saml_force_name_id_format": "true",
                 "saml_name_id_format": "email",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -179,7 +211,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-realm-sales-post-sig/*"
             ],
@@ -196,7 +228,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-client-sales-post-sig/*"
             ],
@@ -217,10 +249,10 @@
                 "http://localhost:8082/sales-post-enc/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
@@ -239,7 +271,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee-sig/*"
             ],
-            "adminUrl": "http://localhost:8082/employee-sig/",
+            "adminUrl": "http://localhost:8082/employee-sig/saml",
             "attributes": {
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
@@ -257,7 +289,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee/*"
             ],
-            "adminUrl": "http://localhost:8082/employee/",
+            "adminUrl": "http://localhost:8082/employee/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -307,7 +339,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee2/*"
             ],
-            "adminUrl": "http://localhost:8082/employee2/",
+            "adminUrl": "http://localhost:8082/employee2/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -359,10 +391,10 @@
                 "http://localhost:8082/employee-sig-front/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA1",

testsuite/tomcat6/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java

@@ -61,6 +61,8 @@ public class TomcatSamlTest {
         System.setProperty("app.server.base.url", "http://localhost:8082");
         System.setProperty("my.host.name", "localhost");
         tomcat.deploySaml("/sales-post", "simple-post");
+        tomcat.deploySaml("/sales-post2", "simple-post2");
+        tomcat.deploySaml("/input-portal", "simple-input");
         tomcat.deploySaml("/sales-post-sig", "signed-post");
         tomcat.deploySaml("/sales-post-sig-email", "signed-post-email");
         tomcat.deploySaml("/sales-post-sig-transient", "signed-post-transient");
@@ -87,6 +89,16 @@ public class TomcatSamlTest {
     @Rule
     public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule);
 
+    @Test
+    public void testSavedPostRequest() throws Exception {
+        testStrategy.testSavedPostRequest();
+    }
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
+
+
     @Test
     public void testPostSimpleLoginLogout() {
         testStrategy.testPostSimpleLoginLogout();

testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/input-portal/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/secured/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/sales-post2/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/tomcat6/src/test/resources/keycloak-saml/sp-metadata.xml

@@ -7,9 +7,9 @@
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
             <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
             </NameIDFormat>
-            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
             <AssertionConsumerService
-                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
                     index="1" isDefault="true" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

testsuite/tomcat6/src/test/resources/keycloak-saml/testsaml.json

@@ -78,13 +78,45 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post"
             }
         },
+        {
+            "name": "http://localhost:8082/sales-post2/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/sales-post2",
+            "redirectUris": [
+                "http://localhost:8082/sales-post2/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_idp_initiated_sso_url_name": "sales-post2",
+                "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+            }
+        },
+        {
+            "name": "http://localhost:8082/input-portal/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/input-portal/",
+            "redirectUris": [
+                "http://localhost:8082/input-portal/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+            }
+        },
         {
             "name": "http://localhost:8082/sales-post-sig/",
             "enabled": true,
@@ -95,10 +127,10 @@
                 "http://localhost:8082/sales-post-sig/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -112,15 +144,15 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-transient",
-            "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+            "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-transient/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -138,10 +170,10 @@
                 "http://localhost:8082/sales-post-sig-persistent/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -155,17 +187,17 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-email",
-            "adminUrl": "http://localhost:8082/sales-post-sig-email",
+            "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-email/*"
             ],
             "attributes": {
                 "saml_force_name_id_format": "true",
                 "saml_name_id_format": "email",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -179,7 +211,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-realm-sales-post-sig/*"
             ],
@@ -196,7 +228,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-client-sales-post-sig/*"
             ],
@@ -217,10 +249,10 @@
                 "http://localhost:8082/sales-post-enc/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
@@ -239,7 +271,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee-sig/*"
             ],
-            "adminUrl": "http://localhost:8082/employee-sig/",
+            "adminUrl": "http://localhost:8082/employee-sig/saml",
             "attributes": {
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
@@ -257,7 +289,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee/*"
             ],
-            "adminUrl": "http://localhost:8082/employee/",
+            "adminUrl": "http://localhost:8082/employee/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -307,7 +339,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee2/*"
             ],
-            "adminUrl": "http://localhost:8082/employee2/",
+            "adminUrl": "http://localhost:8082/employee2/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -359,10 +391,10 @@
                 "http://localhost:8082/employee-sig-front/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA1",

testsuite/tomcat7/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java

@@ -78,6 +78,8 @@ public class TomcatSamlTest {
         tomcat.addWebapp("/bad-client-sales-post-sig", new File(base, "bad-client-signed-post").toString());
         tomcat.addWebapp("/bad-realm-sales-post-sig", new File(base, "bad-realm-signed-post").toString());
         tomcat.addWebapp("/sales-post-enc", new File(base, "encrypted-post").toString());
+        tomcat.addWebapp("/sales-post2", new File(base, "simple-post2").toString());
+        tomcat.addWebapp("/input-portal", new File(base, "simple-input").toString());
         SamlAdapterTestStrategy.uploadSP("http://localhost:8081/auth");
 
 
@@ -90,6 +92,14 @@ public class TomcatSamlTest {
         tomcat.stop();
         tomcat.destroy();
     }
+    @Test
+    public void testSavedPostRequest() throws Exception {
+        testStrategy.testSavedPostRequest();
+    }
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
 
 
     @Test

testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml

@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+    <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>

testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/input-portal/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/secured/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml

@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+    <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>

testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/sales-post2/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/tomcat7/src/test/resources/keycloak-saml/sp-metadata.xml

@@ -7,9 +7,9 @@
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
             <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
             </NameIDFormat>
-            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
             <AssertionConsumerService
-                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
                     index="1" isDefault="true" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

testsuite/tomcat7/src/test/resources/keycloak-saml/testsaml.json

@@ -78,13 +78,45 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post"
             }
         },
+        {
+            "name": "http://localhost:8082/sales-post2/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/sales-post2",
+            "redirectUris": [
+                "http://localhost:8082/sales-post2/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_idp_initiated_sso_url_name": "sales-post2",
+                "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+            }
+        },
+        {
+            "name": "http://localhost:8082/input-portal/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/input-portal/",
+            "redirectUris": [
+                "http://localhost:8082/input-portal/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+            }
+        },
         {
             "name": "http://localhost:8082/sales-post-sig/",
             "enabled": true,
@@ -95,10 +127,10 @@
                 "http://localhost:8082/sales-post-sig/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -112,15 +144,15 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-transient",
-            "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+            "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-transient/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -138,10 +170,10 @@
                 "http://localhost:8082/sales-post-sig-persistent/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -155,17 +187,17 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-email",
-            "adminUrl": "http://localhost:8082/sales-post-sig-email",
+            "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-email/*"
             ],
             "attributes": {
                 "saml_force_name_id_format": "true",
                 "saml_name_id_format": "email",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -179,7 +211,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-realm-sales-post-sig/*"
             ],
@@ -196,7 +228,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-client-sales-post-sig/*"
             ],
@@ -217,10 +249,10 @@
                 "http://localhost:8082/sales-post-enc/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
@@ -239,7 +271,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee-sig/*"
             ],
-            "adminUrl": "http://localhost:8082/employee-sig/",
+            "adminUrl": "http://localhost:8082/employee-sig/saml",
             "attributes": {
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
@@ -257,7 +289,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee/*"
             ],
-            "adminUrl": "http://localhost:8082/employee/",
+            "adminUrl": "http://localhost:8082/employee/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -307,7 +339,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee2/*"
             ],
-            "adminUrl": "http://localhost:8082/employee2/",
+            "adminUrl": "http://localhost:8082/employee2/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -359,10 +391,10 @@
                 "http://localhost:8082/employee-sig-front/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA1",

testsuite/tomcat8/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java

@@ -64,6 +64,8 @@ public class TomcatSamlTest {
         URL dir = TomcatSamlTest.class.getResource("/keycloak-saml/testsaml.json");
         File base = new File(dir.getFile()).getParentFile();
         tomcat.addWebapp("/sales-post", new File(base, "simple-post").toString());
+        tomcat.addWebapp("/sales-post2", new File(base, "simple-post2").toString());
+        tomcat.addWebapp("/input-portal", new File(base, "simple-input").toString());
         tomcat.addWebapp("/sales-post-sig", new File(base, "signed-post").toString());
         tomcat.addWebapp("/sales-post-sig-email", new File(base, "signed-post-email").toString());
         tomcat.addWebapp("/sales-post-sig-transient", new File(base, "signed-post-transient").toString());
@@ -91,6 +93,16 @@ public class TomcatSamlTest {
     @Rule
     public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule);
 
+    @Test
+    public void testSavedPostRequest() throws Exception {
+        testStrategy.testSavedPostRequest();
+    }
+    @Test
+    public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+        testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+    }
+
+
     @Test
     public void testErrorHandling() throws Exception {
         testStrategy.testErrorHandling();

testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml

@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+    <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>

testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/input-portal/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/secured/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml

@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+    <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>

testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml

@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+    <SP entityID="http://localhost:8082/sales-post2/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+        <PrincipalNameMapping policy="FROM_NAME_ID"/>
+        <RoleIdentifiers>
+            <Attribute name="Role"/>
+        </RoleIdentifiers>
+        <IDP entityID="idp">
+            <SingleSignOnService requestBinding="POST"
+                                 bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+
+            <SingleLogoutService
+                    requestBinding="POST"
+                    responseBinding="POST"
+                    postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+                    />
+        </IDP>
+     </SP>
+</keycloak-saml-adapter>

testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+      version="3.0">
+
+	<module-name>adapter-test</module-name>
+
+    <servlet>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>SendUsernameServlet</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Users</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>manager</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>demo</realm-name>
+        <form-login-config>
+            <form-login-page>/error.html</form-login-page>
+            <form-error-page>/error.html</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <security-role>
+        <role-name>manager</role-name>
+    </security-role>
+    <security-role>
+        <role-name>el-jefe</role-name>
+    </security-role>
+</web-app>

testsuite/tomcat8/src/test/resources/keycloak-saml/sp-metadata.xml

@@ -7,9 +7,9 @@
                 protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
             <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
             </NameIDFormat>
-            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
             <AssertionConsumerService
-                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
                     index="1" isDefault="true" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

testsuite/tomcat8/src/test/resources/keycloak-saml/testsaml.json

@@ -78,13 +78,45 @@
             ],
             "attributes": {
                 "saml.authnstatement": "true",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
                 "saml_idp_initiated_sso_url_name": "sales-post"
             }
         },
+        {
+            "name": "http://localhost:8082/sales-post2/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/sales-post2",
+            "redirectUris": [
+                "http://localhost:8082/sales-post2/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+                "saml_idp_initiated_sso_url_name": "sales-post2",
+                "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+            }
+        },
+        {
+            "name": "http://localhost:8082/input-portal/",
+            "enabled": true,
+            "fullScopeAllowed": true,
+            "protocol": "saml",
+            "baseUrl": "http://localhost:8082/input-portal/",
+            "redirectUris": [
+                "http://localhost:8082/input-portal/*"
+            ],
+            "attributes": {
+                "saml.authnstatement": "true",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+            }
+        },
         {
             "name": "http://localhost:8082/sales-post-sig/",
             "enabled": true,
@@ -95,10 +127,10 @@
                 "http://localhost:8082/sales-post-sig/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -112,15 +144,15 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-transient",
-            "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+            "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-transient/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -138,10 +170,10 @@
                 "http://localhost:8082/sales-post-sig-persistent/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -155,17 +187,17 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/sales-post-sig-email",
-            "adminUrl": "http://localhost:8082/sales-post-sig-email",
+            "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
             "redirectUris": [
                 "http://localhost:8082/sales-post-sig-email/*"
             ],
             "attributes": {
                 "saml_force_name_id_format": "true",
                 "saml_name_id_format": "email",
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA256",
                 "saml.client.signature": "true",
@@ -179,7 +211,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-realm-sales-post-sig/*"
             ],
@@ -196,7 +228,7 @@
             "protocol": "saml",
             "fullScopeAllowed": true,
             "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
-            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+            "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
             "redirectUris": [
                 "http://localhost:8082/bad-client-sales-post-sig/*"
             ],
@@ -217,10 +249,10 @@
                 "http://localhost:8082/sales-post-enc/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
                 "saml.server.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA512",
                 "saml.client.signature": "true",
@@ -239,7 +271,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee-sig/*"
             ],
-            "adminUrl": "http://localhost:8082/employee-sig/",
+            "adminUrl": "http://localhost:8082/employee-sig/saml",
             "attributes": {
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
@@ -257,7 +289,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee/*"
             ],
-            "adminUrl": "http://localhost:8082/employee/",
+            "adminUrl": "http://localhost:8082/employee/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -307,7 +339,7 @@
             "redirectUris": [
                 "http://localhost:8082/employee2/*"
             ],
-            "adminUrl": "http://localhost:8082/employee2/",
+            "adminUrl": "http://localhost:8082/employee2/saml",
             "attributes": {
                 "saml.authnstatement": "true"
             },
@@ -359,10 +391,10 @@
                 "http://localhost:8082/employee-sig-front/*"
             ],
             "attributes": {
-                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
-                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+                "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+                "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
                 "saml.server.signature": "true",
                 "saml.client.signature": "true",
                 "saml.signature.algorithm": "RSA_SHA1",