<div dir="ltr"><pre>Hi,<br><br></pre><pre>I am wondering if it is possible to access the SPSSODescriptor of an identity provider on a public available URL.<br>Not to be confused with the IdPSSODescriptor (/auth/realms/{realm}/protocol/saml/descriptor) which is publicly available.<br>I found the API call /auth/admin/realms/{realm}/identity-provider/instances/{identity-provider}/export , but this API call requires authentication.<br>The IdP on the other end of the line needs to be able to retrieve this descriptor without authentication.<br>I found a thread on the mailing list from earlier this year where the existence of this feature is discussed, but the current status is unclear to me.<br><br>Regards,<br></pre><pre>Ton<br></pre><pre> From: Pedro Igor Silva <<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">psilva at redhat.com</a>>
To: Raghu Prabhala <<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">prabhalar at yahoo.com</a>>
Cc: Keycloak-user <<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">keycloak-user at lists.jboss.org</a>>
Sent: Thursday, February 19, 2015 6:33 AM
Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
----- Original Message -----
><i> From: "Raghu Prabhala" <<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">prabhalar at yahoo.com</a>>
</i>><i> To: "Keycloak-user" <<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">keycloak-user at lists.jboss.org</a>>
</i>><i> Sent: Thursday, February 19, 2015 12:20:00 AM
</i>><i> Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
</i>><i>
</i>><i> Hi,
</i>><i>
</i>><i> I tested out the SAML broker functionality that is listed in the below
</i>><i> example
</i>><i> <a href="https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication">https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication</a>
</i>><i>
</i>><i> We have a very important use case that is similar to the above except that
</i>><i> the SAML Identity broker is ADFS and a few issues are preventing me from
</i>><i> testing it out:
</i>><i>
</i>><i> 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML
</i>><i> metadata) which is not available currently. Perhaps I can generate my own
</i>><i> metadata using the above example but would prefer KC to provide one that is
</i>><i> similar to IDP metadata that is listed in the documentation.
</i>
In this case you need a SPSSODescriptor, right ? I think we can easily implement an endpoint to retrieve SP metadata for SAML applications.
[RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking forward to see it near term.
><i> 2) The ADFS IDP metadata has RoleDescriptor element that is not currently
</i>><i> being parsed by the KC SAML broker. I logged my issues in the JIRA
</i>><i> <a href="https://issues.jboss.org/browse/KEYCLOAK-883">https://issues.jboss.org/browse/KEYCLOAK-883</a>
</i>
I've already fixed our parsers. However, the RoleDescriptor you have in that metadata are describing WS-Federation entities that will just be ignored.
[RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described under RoleDescriptor - so I will have to build something to handle that. Any advice on where I should start?
><i> 3) The roles and other claims need to passed back to the client applications
</i>><i> using OIDC (I am aware that Bill is making some functionality available over
</i>><i> the next few days and hopefully it will address my requirement)
</i>><i>
</i>><i> Any suggestions on how I handle the first two?
</i>><i>
</i>><i> Thanks,
</i>><i> Raghu
</i>><i>
</i>><i>
</i>><i> _______________________________________________
</i>><i> keycloak-user mailing list
</i>><i> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">keycloak-user at lists.jboss.org</a>
</i>><i> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a>
</i><i></i></pre></div>