Keycloak has a separate SAML adapter for Jetty 9.x. You then have to provide some extra configuration in each WAR you deploy to Jetty. Let's go over these steps.

Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site. They are also available as a maven artifact. You must unzip the Jetty 9.x distro into Jetty 9.x's root directory. Including adapter's jars within your WEB-INF/lib directory will not work! $ cd $JETTY_HOME $ unzip keycloak-saml-jetty92-adapter-dist.zip Next, you will have to enable the keycloak module for your jetty.base. $ cd your-base $ java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak

This section describes how to secure a WAR directly by adding config and editing files within your WAR package. The first thing you must do is create a WEB-INF/jetty-web.xml file in your WAR package. This is a Jetty specific config file and you must define a Keycloak specific authenticator within it. ]]> Next you must create a keycloak-saml.xml adapter config file within the WEB-INF directory of your WAR. The format of this config file is describe in the general adapter configuration section. Finally you must specify both a login-config and use standard servlet security to specify role-base constraints on your URLs. Here's an example: customer-portal Customers /* user CONFIDENTIAL BASIC this is ignored currently admin user ]]>