[keycloak-dev] Support for key rotation in SAML Redirect binding
John Dennis
jdennis at redhat.com
Mon Oct 31 13:14:32 EDT 2016
On 10/31/2016 11:36 AM, Hynek Mlnarik wrote:
> Surely KC implements both SAML SP and IdP.
KC is mostly an IdP. The only case I'm aware of where KC operates as an
SP is when KC federates to another IdP (i.e. KC is an identity hub that
is configured to authenticate against other IdP's). For the optimization
you're discussing to be workable the other IdP must also understand the
key id usage (i.e. is another KC instance) *and* share the key id's.
That seems to me to be an uncommon deployment.
> I am afraid that in a strict sense, there is also no KC-to-SP or
> SP-to-KC communiication.
Really? SAML is mostly IdP-to-SP and SP-to-Idp communication.
> But by natural extension of concepts, by "KC-to-KC", an IdP-to-SP
> communication is meant where KC is implementor of both parts.
See above.
> SAML 2.0 is designed to be extensible and allows Implementation
> specific extensions that are not interpreted if the receiving party
> does not know how to handle them. This is interoperable as long as
> the meaning of the original SAML message retains the same meaning.
> Hints like key ID are hence valid use of this extension.
Sure, but I still don't understand when you could take advantage of this
(see above). How often do you think KC is going to federate to another
KC instance that shares the same key ids?
> Just for the record - SAML IdP is represented by KC server, SAML SP
> part is handled by KC adapters.
--
John
More information about the keycloak-dev
mailing list