Hi.
I sent this to the Users list and have had zero response. Re-sending here on the dev list
hoping to hear feedback and thoughts from Keycloak Devs on my questions around
KeyCloak's ability to support multi-lateral federation and if it is on the roadmap.
Thanks and look forward to thoughts and comments..
Chris.
On 2018-08-30, 4:06 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Chris
Phillips" <keycloak-user-bounces(a)lists.jboss.org on behalf of
Chris.Phillips(a)canarie.ca> wrote:
Hi.
I’m going through assessing KeyCloak as being able to be an Identity Provider in a
multi-lateral SAML federation context and am seeking insight from the users and devs
involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust federation
context, IdPs need to be able to do a base set of functions. These are some of the
critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online metadata
aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity
Providers/Service Providers) to be trusted or used in trust decisions in the Identity
Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing
something.
Is anyone using KeyCloak in this manner or are there plans for this functionality on
KeyCloak’s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500 entities with
2800 IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the ones I
called out above appearing in section 2.2.1:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
I’ve searched the keycloak-users list a bit and came across the reference to
EntitiesDescriptor which lead me to this issue and code update in KeyCloak:
https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for
reading in aggregates is not possible and maybe engineered out of the product itself. Am
I right in thinking that?
Thoughts and insights welcome..
Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE|
chris.phillips@canarie.ca<mailto:chris.phillips@canarie.ca> |GPG:
0x7F6245580380811D
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user