Hello, I have got a Problem with Keycloak 2.5.0 Final on Wildfly with an war deployed on a Tomcat 7 and registered org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve and generated keycloak-saml.xml from AARealm ( just a name) After navigating to the Ressource , I got a correct redirect with SAML-AuthnRequest to Wildfly with Keycloak. I can login with a user successful, a correct SAML-Response is created, but then I got a *loop *on requests on the same ressource on Wildfly (!), so there is no outcome till I close the window again. What's wrong? - Are the Redirects wrong? - Why are the cookies expiring again? (see below) Here are the details: - AA.war is deployed on tomcat with port 8280 , inside there is just an jsp-Page - Keycloak runs on 8080 - A RealmAA is created with Client registration and SAML Protocol on Keycloak - Valid Redirect URIs is http://localhost:8280/AA/* - Base URL is http://localhost:8280/AA - no other URLs are registered - loop on requests go on http://localhost:8080/auth/realms/AARealm/login-actions/authenticate?code= HTTP/1.1 - Output on Wildfly is (again and again, the loop!) 2017-01-13 20:31:23,645 WARN [org.keycloak.events] (default task-45) type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true 2017-01-13 20:31:23,645 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-45) AUTHENTICATE 2017-01-13 20:31:23,645 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-45) AUTHENTICATE ONLY 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) processFlow 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: auth-cookie requirement: ALTERNATIVE 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) authenticator: auth-cookie 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) invoke authenticator.authenticate 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) authenticator SUCCESS: auth-cookie 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: auth-spnego requirement: DISABLED 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) execution is processed 2017-01-13 20:31:23,646 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: identity-provider-redirector requirement: ALTERNATIVE 2017-01-13 20:31:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) Skip alternative execution 2017-01-13 20:31:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) check execution: null requirement: ALTERNATIVE 2017-01-13 20:31:23,647 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-45) Skip alternative execution 2017-01-13 20:31:23,647 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-45) Using full scope for client 2017-01-13 20:31:23,647 DEBUG [org.keycloak.events] (default task-45) type=LOGIN, realmId=AARealm, clientId=AA, userId=1b24603d-c9e8-4317-995a-b42b0f91bae1, ipAddress=127.0.0.1, auth_method=saml, consent=no_consent_required, code_id=7ed8cc51-6c7e-4ffc-8d2a-261b9f03559d, username=user 2017-01-13 20:31:23,647 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-45) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/AARealm, max-age: -1 2017-01-13 20:31:23,648 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-45) Expiring remember me cookie 2017-01-13 20:31:23,648 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-45) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/AARealm 2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-45) JtaTransactionWrapper commit 2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-45) JtaTransactionWrapper end 2017-01-13 20:31:23,815 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-46) new JtaTransactionWrapper 2017-01-13 20:31:23,816 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-46) was existing? false 2017-01-13 20:31:23,818 WARN [org.keycloak.events] (default task-46) type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true 2017-01-13 20:31:23,819 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-46) AUTHENTICATE 2017-01-13 20:31:23,819 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-46) AUTHENTICATE ONLY If I register http://localhost:8280/AA/saml as "Master SAML Processing URL" on Keycloak, then I got a 403 Forbidden. Thanks in advance Metehan Selvi