[keycloak-user] Can KeyCloak support Multi-lateral SAML federation?

Hynek Mlnarik hmlnarik at redhat.com
Wed Oct 3 04:04:22 EDT 2018 

Keycloak server currently has no way to refresh the metadata of other
parties in the federation, this functionality would need to be implemented.
It looks like rather a good feature though, related to a more narrow
usecase of [1]. Feel free to raise a feature request in JIRA.

[1] https://issues.jboss.org/browse/KEYCLOAK-4199.

On Thu, Aug 30, 2018 at 10:08 PM Chris Phillips <Chris.Phillips at canarie.ca>
wrote:

> Hi.
> I’m going through assessing KeyCloak as being able to be an Identity
> Provider in a multi-lateral SAML federation context and am seeking insight
> from the users and devs involved in KeyCloak.
>
> For an IdP to be considered interoperable in a multi-lateral SAML trust
> federation context,  IdPs need to be able to do a base set of functions.
> These are some of the critical (but not only) ones:
>
>   *   Retrieve, with a configurable frequency (usually hourly), an online
> metadata aggregate
>   *   validate the signature on the aggregate
>   *   when signature validity is verified, load all the entities (Identity
> Providers/Service Providers) to be trusted or used in trust decisions in
> the Identity Provider.
>
> I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could
> be missing something.
>
> Is anyone using KeyCloak in this manner or are there plans for this
> functionality on KeyCloak’s technical roadmap?
>
> Some additional items to decorate my ask for information..
>
> To give an idea of scale, the aggregates I want to work with have ~4500
> entities with 2800 IdPs and 2100 SPs and need to  be refreshed hourly.
>
> The list of items important for interoperability can be seen here with the
> ones I called out above appearing in section 2.2.1:
> https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
>
>
> I’ve searched the keycloak-users list a bit and came across the reference
> to EntitiesDescriptor which lead me to this issue and code update in
> KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to
> think that the support for reading in aggregates is not possible and maybe
> engineered out of the product itself.  Am I right in thinking that?
>
>
> Thoughts and insights welcome..
>
> Chris.
>
> ___________________________________________________________________________________________
> Chris Phillips
> Technical Architect, Canadian Access Federation, CANARIE|
> chris.phillips at canarie.ca<mailto:chris.phillips at canarie.ca>  |GPG:
> 0x7F6245580380811D
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list