[keycloak-user] Publicly available SAML Service Provider SSO Descriptor (SPSSODescriptor)

Hi, I am wondering if it is possible to access the SPSSODescriptor of an identity provider on a public available URL. Not to be confused with the IdPSSODescriptor (/auth/realms/{realm}/protocol/saml/descriptor) which is publicly available. I found the API call /auth/admin/realms/{realm}/identity-provider/instances/{identity-provider}/export , but this API call requires authentication. The IdP on the other end of the line needs to be able to retrieve this descriptor without authentication. I found a thread on the mailing list from earlier this year where the existence of this feature is discussed, but the current status is unclear to me. Regards, Ton From: Pedro Igor Silva <psilva at redhat.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>> To: Raghu Prabhala <prabhalar at yahoo.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>> Cc: Keycloak-user <keycloak-user at lists.jboss.org <https://lists.jboss.org/mailman/listinfo/keycloak-user>> Sent: Thursday, February 19, 2015 6:33 AM Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot ----- Original Message ----- *>* To: "Keycloak-user" <keycloak-user at lists.jboss.org <https://lists.jboss.org/mailman/listinfo/keycloak-user>> *>* Sent: Thursday, February 19, 2015 12:20:00 AM *>* Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot *> >* Hi, *> >* I tested out the SAML broker functionality that is listed in the below *>* example *>* https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-bro... <https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-bro... *> >* We have a very important use case that is similar to the above except that *>* the SAML Identity broker is ADFS and a few issues are preventing me from *>* testing it out: *> >* 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML *>* metadata) which is not available currently. Perhaps I can generate my own *>* metadata using the above example but would prefer KC to provide one that is *>* similar to IDP metadata that is listed in the documentation. * In this case you need a SPSSODescriptor, right ? I think we can easily implement an endpoint to retrieve SP metadata for SAML applications. [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking forward to see it near term. *>* being parsed by the KC SAML broker. I logged my issues in the JIRA *>* https://issues.jboss.org/browse/KEYCLOAK-883 <https://issues.jboss.org/browse/KEYCLOAK-883> * I've already fixed our parsers. However, the RoleDescriptor you have in that metadata are describing WS-Federation entities that will just be ignored. [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described under RoleDescriptor - so I will have to build something to handle that. Any advice on where I should start? *>* using OIDC (I am aware that Bill is making some functionality available over *>* the next few days and hopefully it will address my requirement) *> >* Any suggestions on how I handle the first two? *> >* Thanks, *>* Raghu *> > >* _______________________________________________ *>* keycloak-user mailing list *>* keycloak-user at lists.jboss.org <https://lists.jboss.org/mailman/listinfo/keycloak-user> *>* https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> *