[keycloak-user] Can KeyCloak support Multi-lateral SAML federation?

Chris Phillips Chris.Phillips at canarie.ca
Thu Aug 30 12:37:09 EDT 2018 

Hi.
I’m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak.

For an IdP to be considered interoperable in a multi-lateral SAML trust federation context,  IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones:

  *   Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate
  *   validate the signature on the aggregate
  *   when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider.

I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something.

Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak’s technical roadmap?

Some additional items to decorate my ask for information..

To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to  be refreshed hourly.

The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html


I’ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself.  Am I right in thinking that?


Thoughts and insights welcome..

Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE| chris.phillips at canarie.ca<mailto:chris.phillips at canarie.ca>  |GPG: 0x7F6245580380811D

More information about the keycloak-user mailing list