3:04 a.m.
Keycloak server currently has no way to refresh the metadata of other
parties in the federation, this functionality would need to be implemented.
It looks like rather a good feature though, related to a more narrow
usecase of [1]. Feel free to raise a feature request in JIRA.
[1] https://issues.jboss.org/browse/KEYCLOAK-4199.
On Thu, Aug 30, 2018 at 10:08 PM Chris Phillips <Chris.Phillips(a)canarie.ca>
wrote:
Hi.
I’m going through assessing KeyCloak as being able to be an Identity
Provider in a multi-lateral SAML federation context and am seeking insight
from the users and devs involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust
federation context, IdPs need to be able to do a base set of functions.
These are some of the critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online
metadata aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity
Providers/Service Providers) to be trusted or used in trust decisions in
the Identity Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could
be missing something.
Is anyone using KeyCloak in this manner or are there plans for this
functionality on KeyCloak’s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500
entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the
ones I called out above appearing in section 2.2.1:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
I’ve searched the keycloak-users list a bit and came across the reference
to EntitiesDescriptor which lead me to this issue and code update in
KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to
think that the support for reading in aggregates is not possible and maybe
engineered out of the product itself. Am I right in thinking that?
Thoughts and insights welcome..
Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE|
chris.phillips@canarie.ca<mailto:chris.phillips@canarie.ca> |GPG:
0x7F6245580380811D
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user