keycloak无限重定向

问题：keycloak无限重定向

环境：适配keycloak的tomcat9，war包工程，saml协议，keycloak服务器12.0.2

查看keycloak运行的控制台或者日志

org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleLoginResponse Adapter obtained LoginResponse, however containers session is not aware of sending any request. This may be because the session cookies created by container are not properly configured with SameSite settings. Refer to KEYCLOAK-14103 for more details.

查看官方使用文档

https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter

描述如下:

If the keycloak-saml.xml does not explicitly set assertionConsumerServiceUrl, the SAML adapter will implicitly listen for SAML assertions at the location /my-context-path/saml. This has to match Master SAML Processing URL in the IDP realm/client settings, e.g. http://sp.domain.com/my-context-path/saml. If not, Tomcat will probably redirect infinitely to the IDP login service, as it does not receive the SAML assertion after the user logged in.

发现是keycloak服务client中Master SAML Processing URL配置错误

解决：Master SAML Processing URL配置必须以saml结尾

e.g. http://sp.domain.com/my-context-path/saml