CODEWITHSUNDEEP
javatomcatbasic-authenticationsaml-2.0keycloak
redAce
redAce

Reputation: 1798

Keycloak SAML redirection stuck in loop after logging in

I'm trying to secure a url : /monitoring with Keycloak using SAML.

I've modified my web.xml :

<web-app>

    <!-- Javamelody Access check -->
    <login-config>
        <auth-method>KEYCLOAK-SAML</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>
    <security-role>
        <role-name>monitoringrole</role-name>
    </security-role>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Monitoring</web-resource-name>
            <url-pattern>/monitoring</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>monitoringrole</role-name>
        </auth-constraint>
    </security-constraint>

    <listener>
        <listener-class>
            org.springframework.web.context.request.RequestContextListener
        </listener-class>
    </listener>
</web-app>

I've also modified my tomcat7's context.xml file with the correct Valve and added the keycloak-saml.xml in /WEB-INF. I'm correctly redirected to the IdP, but even after successfully logging in, I keep getting this message : You are already logged in

I guess I'm redirecting to the same url I'm securing, but shouldn't keycloak grant me access to the page ? Keycloak screen after successfully logging in

Here is my configuration on the keycloak server : enter image description here

Am I missing something on the configuration side ?

Upvotes: 2

Views: 4724

Answers (3)

Nate Z
Nate Z

Reputation: 51

It resolved on changing the LOCALHOST to machine name

Upvotes: 0

adarsh
adarsh

Reputation: 1503

Faced the same issue. Went through the Keycloak logs to find Info: Assertion expired. In my case, Keycloak and Service Provider (client) are on different machines. The erroneous difference was that their system time was in different timezone.

The SP was creating SAMLRequest in UTC as per its timezone, and the SAMLResponse was coming in UTC as per different timezone.

So, maintaining same timezone fixed the issue.

Upvotes: 1

Rohit Kumar Noulakha
Rohit Kumar Noulakha

Reputation: 1

I'm also facing the same issue and i found the solution you need to define your Master SAML Processing URL correctly it is your client URL with saml (for eg. : http://localhost:8080/clienturl/saml) then it will work. Attaching the snapshot.

enter image description here

Upvotes: 0

Related Questions