[keycloak-dev] Can KeyCloak support Multi-lateral SAML federation?

Hi. I sent this to the Users list and have had zero response. Re-sending here on the dev list hoping to hear feedback and thoughts from Keycloak Devs on my questions around KeyCloak's ability to support multi-lateral federation and if it is on the roadmap. Thanks and look forward to thoughts and comments.. Chris. On 2018-08-30, 4:06 PM, &quot;keycloak-user-bounces(a)lists.jboss.org on behalf of Chris Phillips" <keycloak-user-bounces(a)lists.jboss.org on behalf of Chris.Phillips(a)canarie.ca&gt; wrote: Hi. I’m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak. For an IdP to be considered interoperable in a multi-lateral SAML trust federation context, IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones: * Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate * validate the signature on the aggregate * when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider. I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something. Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak’s technical roadmap? Some additional items to decorate my ask for information.. To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly. The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1: https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html I’ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself. Am I right in thinking that? Thoughts and insights welcome.. Chris. ___________________________________________________________________________________________ Chris Phillips Technical Architect, Canadian Access Federation, CANARIE| chris.phillips@canarie.ca<mailto:chris.phillips@canarie.ca> |GPG: 0x7F6245580380811D _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user