问题
I have setup Keycloak as an IdP for SSO using SAML2.0. I have registered my client at Keycloak with the needed URLs:
Master SAML Processing URL: http://localhost:8085/myapp/saml
Althought it's not necessary when I have the master URL set:
I have ACS URL POST Binding, Logout URL POST Binding both set to: http://localhost:8085/myapp/samlRoot URL: http://localhost:8085/myapp
When I try to access a protected resource i.e., a URL of the form
http://localhost:8085/myapp/protected/*, Keycloak redirects me to its login page. Now, when I get a hit on my ACS URL after successful login, I try to redirect the page to one of protected resources.
Doing this: resp.sendRedirect("http://localhost:8085/myapp/protected/home.html");.
Now, Keycloak again redirects me to login page and then gets stuck in an infinite loop.
My web.xml config is:
<filter>
<filter-name>Keycloak Filter</filter-name>
<filter-class>org.keycloak.adapters.saml.servlet.SamlFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Keycloak Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
-Some people got it resolved by ending the Master URL with /saml that I already have.
-I also tried putting /rest at the end of ACS URL, but nothing works
It just shows Your are already logged in or just keeps redirecting
回答1:
I went through the Keycloak logs to find Info: Assertion expired. In my case, Keycloak and Service Provider (client) are on different machines. The erroneous difference was that their system time was in different timezone.
The SP was creating SAMLRequest in UTC as per its timezone, and the SAMLResponse was coming in UTC as per different timezone.
So, maintaining same timezone fixed the issue.
来源:https://stackoverflow.com/questions/58016693/keycloak-stuck-in-loop-after-login