To be able to secure WAR apps deployed on JBoss EAP 6.x or Wildfly, you must install and configure the Keycloak SAML Adapter Subsystem. You then provide a keycloak config, /WEB-INF/keycloak-saml.xml file in your WAR and change the auth-method to KEYCLOAK-SAML within web.xml. Both methods are described in this section.

SAML Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site. They are also available as a maven artifact. Install on Wildfly 9 or 10: $ cd $WILDFLY_HOME $ unzip keycloak-saml-wildfly-adapter-dist.zip Install on JBoss EAP 6.x: $ cd $JBOSS_HOME $ unzip keycloak-saml-eap6-adapter-dist.zip This zip file creates new JBoss Modules specific to the Wildfly Keycloak SAML Adapter within your Wildfly distro. After adding the Keycloak modules, you must then enable the Keycloak SAML Subsystem within your app server's server configuration: domain.xml or standalone.xml. There is a CLI script that will help you modify your server configuration. Start the server and run the script from the server's bin directory: $ cd $JBOSS_HOME/bin $ jboss-cli.sh -c --file=adapter-install-saml.cli The script will add the extension, subsystem, and optional security-domain as described below. ... ... ]]> The keycloak security domain should be used with EJBs and other components when you need the security context created in the secured web tier to be propagated to the EJBs (other EE component) you are invoking. Otherwise this configuration is optional. ... ]]> For example, if you have a JAX-RS service that is an EJB within your WEB-INF/classes directory, you'll want to annotate it with the @SecurityDomain annotation as follows: getCustomers() { return db.getCustomers(); } } ]]> We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier.

This section describes how to secure a WAR directly by adding config and editing files within your WAR package. The first thing you must do is create a keycloak-saml.xml adapter config file within the WEB-INF directory of your WAR. The format of this config file is describe in the general adapter configuration section. Next you must set the auth-method to KEYCLOAK-SAML in web.xml. You also have to use standard servlet security to specify role-base constraints on your URLs. Here's an example pulled from one of the examples that comes distributed with Keycloak. customer-portal Admins /admin/* admin CONFIDENTIAL Customers /customers/* user CONFIDENTIAL KEYCLOAK-SAML this is ignored currently admin user ]]>

You do not have to crack open a WAR to secure it with Keycloak. Alternatively, you can externally secure it via the Keycloak SAML Adapter Subsystem. While you don't have to specify KEYCLOAK-SAML as an auth-method, you still have to define the security-constraints in web.xml. You do not, however, have to create a WEB-INF/keycloak-saml.xml file. This metadata is instead defined within XML in your server's domain.xml or standalone.xml subsystem configuration section. ... ]]> The secure-deployment name attribute identifies the WAR you want to secure. Its value is the module-name defined in web.xml with .war appended. The rest of the configuration uses the same XML syntax as keycloak-saml.xml configuration defined in general adapter configuration. An example configuration: ]]>