[keycloak-dev] Can KeyCloak support Multi-lateral SAML federation?

Chris Phillips Chris.Phillips at canarie.ca
Mon Sep 10 10:55:40 EDT 2018


Hi. 
I sent this to the Users list and have had zero response.  Re-sending here on the dev list hoping to hear feedback and thoughts from Keycloak Devs on my questions around KeyCloak's ability to support multi-lateral federation and if it is on the roadmap.

Thanks and look forward to thoughts and comments..

Chris.


On 2018-08-30, 4:06 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Chris Phillips" <keycloak-user-bounces at lists.jboss.org on behalf of Chris.Phillips at canarie.ca> wrote:

    Hi.
    I’m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak.
    
    For an IdP to be considered interoperable in a multi-lateral SAML trust federation context,  IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones:
    
      *   Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate
      *   validate the signature on the aggregate
      *   when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider.
    
    I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something.
    
    Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak’s technical roadmap?
    
    Some additional items to decorate my ask for information..
    
    To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to  be refreshed hourly.
    
    The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1:
    https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
    
    
    I’ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself.  Am I right in thinking that?
    
    
    Thoughts and insights welcome..
    
    Chris.
    ___________________________________________________________________________________________
    Chris Phillips
    Technical Architect, Canadian Access Federation, CANARIE| chris.phillips at canarie.ca<mailto:chris.phillips at canarie.ca>  |GPG: 0x7F6245580380811D
    
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-dev mailing list