On a Wildfly-14.0.1.Final on JDK 1.8 on Linux, I have installed keycloak-saml-wildfly-adapter-22.0.5.zip, the adapter-elytron-install-saml-offline.cli variant (all outcomes successful).

Now I have configured a war inside a ear protected by keycloak. When the SP is accessed, it successfully redirects to the login of the IP, but then I get a failure when it redirects to the SP:

2025-03-28 14:34:36,303 ERROR [.keycloak.samlmon] (default task-1) Error in base64 decoding saml message.: java.lang.NullPointerException
        at javax.xml.transform.stax.StAXSource.<init>(StAXSource.java:122)
        at .keycloak.samlmon.util.StaxParserUtil.getDOMElement(StaxParserUtil.java:491)
        at .keycloak.saml.processing.core.parsers.saml.protocol.SAMLResponseParser.processSubElement(SAMLResponseParser.java:72)
        at .keycloak.saml.processing.core.parsers.saml.protocol.SAMLResponseParser.processSubElement(SAMLResponseParser.java:38)
        at .keycloak.samlmon.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
        at .keycloak.saml.processing.core.parsers.saml.SAMLParser.parse(SAMLParser.java:123

With a firefox plugin I have captured the SAML and I have desencrypted it with an online tool and the private key, so it does not look like the issue.

The configuration in the WEB-INF/web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Secure URLs</web-resource-name>
      <url-pattern>/profesional/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role_name</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>KEYCLOAK-SAML</auth-method>
    <realm-name>Unused</realm-name>
  </login-config>

and the WEB-INF/keycloak-saml:

<keycloak-saml-adapter xmlns="urn:keycloak:saml:adapter"
                       xmlns:xsi=";
                       xsi:schemaLocation="urn:keycloak:saml:adapter {saml_adapter_xsd_urn}">
    <SP entityID="https://[REDACTED]/[REDACTED]/sp"
        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        logoutPage="/logout.jsp">
        <Keys>
            <Key signing="true" encryption="true">
                <KeyStore password="[REDACTED]" file="${jboss.server.config.dir}/[REDACTED].p12" type="PKCS12">
                    <PrivateKey alias="[REDACTED]" password="[REDACTED]"/>
                    <Certificate alias="[REDACTED]"/>
                </KeyStore>
            </Key>
        </Keys>
        <PrincipalNameMapping policy="FROM_ATTRIBUTE" attribute="urn:oid:2.5.4.3"/>
        <RoleIdentifiers>
            <Attribute name="urn:oid:1.2.840.113556.1.2.102"/>
        </RoleIdentifiers>
        <IDP entityID="https://[REDACTED]/idp/shibboleth" signaturesRequired="true">
            <SingleSignOnService requestBinding="POST" responseBinding="POST" bindingUrl="https://[REDACTED]/idp/profile/SAML2/POST/SSO"/>
            <SingleLogoutService requestBinding="REDIRECT" responseBinding="REDIRECT" postBindingUrl="https://[REDACTED]/idp/profile/SAML2/POST/SLO" redirectBindingUrl="https://[REDACTED]/idp/profile/SAML2/Redirect/SLO"/>
            <Keys>
                <Key signing="true">
                    <KeyStore password="[REDACTED]" file="${jboss.server.config.dir}/idp.p12" type="PKCS12">
                        <Certificate alias="signing"/>
                    </KeyStore>
                </Key>
            </Keys>
            <AllowedClockSkew>300</AllowedClockSkew>
        </IDP>
     </SP>
</keycloak-saml-adapter>

I have checked the code of the StaxParserUtil class, it is:

        Source source = new StAXSource(xmlEventReader);

; so it seems that xmlEventReader is null (I could not find out where it is created from).

Any ideas?