[keycloak-dev] Support for key rotation in SAML Redirect binding

Hynek Mlnarik hmlnarik at redhat.com
Mon Oct 31 11:36:47 EDT 2016


Surely KC implements both SAML SP and IdP. I am afraid that in a strict 
sense, there is also no KC-to-SP or SP-to-KC communiication. But by 
natural extension of concepts, by "KC-to-KC", an IdP-to-SP communication 
is meant where KC is implementor of both parts. SAML 2.0 is designed to 
be extensible and allows Implementation specific extensions that are not 
interpreted if the receiving party does not know how to handle them. 
This is interoperable as long as the meaning of the original SAML 
message retains the same meaning. Hints like key ID are hence valid use 
of this extension.

Just for the record - SAML IdP is represented by KC server, SAML SP part 
is handled by KC adapters.

--Hynek


On 10/31/2016 04:13 PM, John Dennis wrote:
> On 10/31/2016 10:53 AM, Hynek Mlnarik wrote:
>> Fortunately, in the case where Keycloak is both signing and
>> validating so this condition is satisfied.
>
> When is KC both signing a SAML message and validating the same signature?
>
>> Though this may be needed for a communication between KC and non-KC,
>> for KC-to-KC communication, this type of guessing should be avoided
>> if a valid way exists.
>
> In SAML messages are one-way. There is KC-to-SP communication and 
> SP-to-KC communication. What is this KC-to-KC communication you refer to?
>



More information about the keycloak-dev mailing list