[keycloak-user] import SAML keys via command line

[John Dennis]

On 09/20/2017 05:14 AM, Pieter Lukasse wrote:
> Hi John,
> 
> thanks for your replies. I might have cause some confusion by not 
> stating the question clearly. I did have a screenshot in my initial 
> post, but this is apparently not allowed...so I will try with words :)
> 
> I am referring to the process of importing SAML keys when you are using 
> the Administration console (from your browser). Go to "Clients" menu 
> item, select a SAML client, and then click on "SAML Keys" tab. There you 
> can import the keys. Now I am looking for a command line alternative for 
> this, so I don't have to use the web page.

O.K., keys used for SAML SP signing and encryption are a different 
story. I can't tell you how Keycloak stores these internally nor should 
you be dependent on whatever the current implementation. You mentioned a 
JAVA keystore, but that's just one possibility, plus you would have to 
know how Keycloak manages the key names (including key rotation).

You should stick to using Keycloaks defined interfaces. The standard way 
SAML SP keys are imported to an IdP is by loading the SP's metadata 
which contains the key(s). You can do this either with the Web UI, the 
client registration protocol, or with the REST API. The later two can be 
done from the command line if you have the proper tooling to communicate 
with the Keycloak endpoints. I've written code that does exactly this. 
Or you can use the REST API to update the client representation directly 
in lieu of using metadata. The Keycloak team has done some work on 
providing a command line administration tool but I'm not sure of the 
status of that effort.

But one question I'm left with is why you're changing an SP keys so 
often this is actually a burden. (Or similarly why you're not using 
metadata).


-- 
John