Per WAR Configuration

This section describes how to secure a WAR directly by adding config and editing files within your WAR package.

The first thing you must do is create a META-INF/context.xml file in your WAR package. This is a Tomcat specific config file and you must define a Keycloak specific Valve.

<Context path="/your-context-path">
    <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>

Next you must create a keycloak-saml.xml adapter config file within the WEB-INF directory of your WAR. The format of this config file is describe in the General Adapter Config section.

Finally you must specify both a login-config and use standard servlet security to specify role-base constraints on your URLs. Here’s an example:

<web-app xmlns=""



        <realm-name>this is ignored currently</realm-name>