Hi All,
Currently, KeyCloak supports two mechanisms to download SAML metadata.
One is using this public URL
<root>/auth/realms/{realm}/protocol/saml/descriptor.
The Second option is to download it from the installation tab of the client
or using this API /admin/realms/{realm}/clients/
{id}/installation/providers/{providerId}
It seems that there are some differences between them. Especially the first
option returns you metadata with an extra <EntitiesDescriptor> tag. Such as
<EntitiesDescriptor Name="urn:keycloak"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<EntityDescriptor entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y
">
.........
</EntityDescriptor>
</EntitiesDescriptor>
When we try to upload this metadata (downloaded from the public URL) to
PingOne, it doesn't like it (metadata from installation tab works fine). Is
there any reason for this?
Regards,
Muein