Hi.
I’m going through assessing KeyCloak as being able to be an Identity Provider in a
multi-lateral SAML federation context and am seeking insight from the users and devs
involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust federation
context, IdPs need to be able to do a base set of functions. These are some of the
critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online metadata
aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity
Providers/Service Providers) to be trusted or used in trust decisions in the Identity
Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing
something.
Is anyone using KeyCloak in this manner or are there plans for this functionality on
KeyCloak’s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800
IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the ones I called
out above appearing in section 2.2.1:
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
I’ve searched the keycloak-users list a bit and came across the reference to
EntitiesDescriptor which lead me to this issue and code update in KeyCloak:
https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for
reading in aggregates is not possible and maybe engineered out of the product itself. Am
I right in thinking that?
Thoughts and insights welcome..
Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE|
chris.phillips@canarie.ca<mailto:chris.phillips@canarie.ca> |GPG:
0x7F6245580380811D