登录后，密钥斗篷陷在循环中 [英] Keycloak stuck in loop after login

问题描述

我已经使用SAML2.0将Keycloak设置为SSO的IdP.我已经使用所需的URL在Keycloak注册了我的客户端:
主SAML处理URL: http://localhost:8085/myapp/saml 尽管设置了主URL并不是必须的: 我的ACS URL POST Binding和Logout URL POST Binding都设置为:http://localhost:8085/myapp/saml
Root URL: http://localhost:8085/myapp

I have setup Keycloak as an IdP for SSO using SAML2.0. I have registered my client at Keycloak with the needed URLs:
Master SAML Processing URL: http://localhost:8085/myapp/saml Althought it's not necessary when I have the master URL set: I have ACS URL POST Binding, Logout URL POST Binding both set to: http://localhost:8085/myapp/saml
Root URL: http://localhost:8085/myapp

当我尝试访问受保护的资源时，即形式为URL http://localhost:8085/myapp/protected/*，Keycloak将我重定向到其登录页面.现在，成功登录后，如果在我的ACS URL上出现问题，我将尝试将页面重定向到受保护的资源之一. 这样做:resp.sendRedirect("http://localhost:8085/myapp/protected/home.html");.

When I try to access a protected resource i.e., a URL of the form http://localhost:8085/myapp/protected/*, Keycloak redirects me to its login page. Now, when I get a hit on my ACS URL after successful login, I try to redirect the page to one of protected resources. Doing this: resp.sendRedirect("http://localhost:8085/myapp/protected/home.html");.

现在，Keycloak再次将我重定向到登录页面，然后陷入无限循环.

Now, Keycloak again redirects me to login page and then gets stuck in an infinite loop.

我的web.xml配置为:

  <filter>
    <filter-name>Keycloak Filter</filter-name>
    <filter-class>org.keycloak.adapters.saml.servlet.SamlFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>Keycloak Filter</filter-name>
    <url-pattern>/protected/*</url-pattern>
  </filter-mapping>

-有些人通过以我已经拥有的/saml结束主URL来解决它.
-我也尝试将/rest放在ACS URL的末尾，但是没有任何作用

-Some people got it resolved by ending the Master URL with /saml that I already have.
-I also tried putting /rest at the end of ACS URL, but nothing works

它仅显示Your are already logged in或仅保持重定向

It just shows Your are already logged in or just keeps redirecting

推荐答案

我浏览了Keycloak日志以找到Info: Assertion expired.就我而言，Keycloak和Service Provider(客户端)在不同的计算机上.错误的区别是它们的系统时间在不同的时区中.

I went through the Keycloak logs to find Info: Assertion expired. In my case, Keycloak and Service Provider (client) are on different machines. The erroneous difference was that their system time was in different timezone.

SP正在按照其时区在UTC中创建SAMLRequest，而SAMLResponse正在根据不同时区在UTC中创建.

The SP was creating SAMLRequest in UTC as per its timezone, and the SAMLResponse was coming in UTC as per different timezone.

因此，保持相同的时区可以解决此问题.

So, maintaining same timezone fixed the issue.

这篇关于登录后，密钥斗篷陷在循环中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！