[keycloak-dev] Support for key rotation in SAML Redirect binding
Hynek Mlnarik
hmlnarik at redhat.com
Mon Oct 31 11:36:47 EDT 2016
Surely KC implements both SAML SP and IdP. I am afraid that in a strict
sense, there is also no KC-to-SP or SP-to-KC communiication. But by
natural extension of concepts, by "KC-to-KC", an IdP-to-SP communication
is meant where KC is implementor of both parts. SAML 2.0 is designed to
be extensible and allows Implementation specific extensions that are not
interpreted if the receiving party does not know how to handle them.
This is interoperable as long as the meaning of the original SAML
message retains the same meaning. Hints like key ID are hence valid use
of this extension.
Just for the record - SAML IdP is represented by KC server, SAML SP part
is handled by KC adapters.
--Hynek
On 10/31/2016 04:13 PM, John Dennis wrote:
> On 10/31/2016 10:53 AM, Hynek Mlnarik wrote:
>> Fortunately, in the case where Keycloak is both signing and
>> validating so this condition is satisfied.
>
> When is KC both signing a SAML message and validating the same signature?
>
>> Though this may be needed for a communication between KC and non-KC,
>> for KC-to-KC communication, this type of guessing should be avoided
>> if a valid way exists.
>
> In SAML messages are one-way. There is KC-to-SP communication and
> SP-to-KC communication. What is this KC-to-KC communication you refer to?
>
More information about the keycloak-dev
mailing list