Re: [keycloak-user] Differences between SAML descriptors

On 02/03/2017 03:23 PM, Muein Muzamil wrote: If the SP is unable to parse SP metadata containing an EntitiesDescriptor in addtion to an EntityDescriptor then the SP is at fault. All the EntitiesDescriptor is is a container for multiple EntityDescriptor elements, it is perfectly permissible to have a container contain only 1 element just as it's acceptable to omit the container and have a bare element. If your SP cannot parse a metadata file containing a EntitiesDescriptor tag it's easy to strip it off the xml with a text editor. Irrespective of the SP's ability to parse metadata containing an EntitiesDescriptor element is the requirement stated in Section 4.1.1 of the SAML Metadata spec which requires metadata published at the IdP's well known location for metadata retrieval to contain *only* a EntityDescriptor as the root element. Since <root>/auth/realms/{realm}/protocol/saml/descriptor is as close as Keycloak gets to published well known location for IdP metadata retrieval the use of a EntitiesDescriptor violates the SAML spec. I don't believe there is JIRA filed for this yet. However, I emphasize this is independent of the SP's ability ability to parse the IdP metadata because it does not know where the IdP metadata originated from. It should iterate over all the EntityDescriptor's looking for an IDPSSODescriptor and then if it wants to confirm exactly one was found (or it could just load all of them, depends on the SP). There are other inconsistencies in the IdP metadata depending on how it's retrieved from Keycloak aside from the EntitiesDescriptor tag. The inconsistent IdP metadata is a known problem and has been reported in this JIRA: https://issues.jboss.org/browse/KEYCLOAK-3373 Any reason for the inconsistencies, no. -- John