[keycloak-user] Publicly available SAML Service Provider SSO Descriptor (SPSSODescriptor)

Ton Swieb ton at finalist.nl
Wed Dec 2 09:10:37 EST 2015


Hi,

I am wondering if it is possible to access the SPSSODescriptor of an
identity provider on a public available URL.
Not to be confused with the IdPSSODescriptor
(/auth/realms/{realm}/protocol/saml/descriptor) which is publicly
available.
I found the API call
/auth/admin/realms/{realm}/identity-provider/instances/{identity-provider}/export
, but this API call requires authentication.
The IdP on the other end of the line needs to be able to retrieve this
descriptor without authentication.
I found a thread on the mailing list from earlier this year where the
existence of this feature is discussed, but the current status is
unclear to me.

Regards,

Ton

       From: Pedro Igor Silva <psilva at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
 To: Raghu Prabhala <prabhalar at yahoo.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
Cc: Keycloak-user <keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
 Sent: Thursday, February 19, 2015 6:33 AM
 Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot

----- Original Message -----
>* From: "Raghu Prabhala" <prabhalar at yahoo.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>>
*>* To: "Keycloak-user" <keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
*>* Sent: Thursday, February 19, 2015 12:20:00 AM
*>* Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
*> >* Hi,
*> >* I tested out the SAML broker functionality that is listed in the below
*>* example
*>* https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication
<https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication>
*> >* We have a very important use case that is similar to the above except that
*>* the SAML Identity broker is ADFS and a few issues are preventing me from
*>* testing it out:
*> >* 1) The ADFS IDP requires that I upload the KC SAML broker
information (SAML
*>* metadata) which is not available currently. Perhaps I can generate my own
*>* metadata using the above example but would prefer KC to provide one that is
*>* similar to IDP metadata that is listed in the documentation.
*
In this case you need a SPSSODescriptor, right ? I think we can easily
implement an endpoint to retrieve SP metadata for SAML applications.
[RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great.
Looking forward to see it near term.
>* 2) The ADFS IDP metadata has RoleDescriptor element that is not currently
*>* being parsed by the KC SAML broker. I logged my issues in the JIRA
*>* https://issues.jboss.org/browse/KEYCLOAK-883
<https://issues.jboss.org/browse/KEYCLOAK-883>
*
I've already fixed our parsers. However, the RoleDescriptor you have
in that metadata are describing WS-Federation entities that will just
be ignored.


[RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are
described under RoleDescriptor  - so I will have to build something to
handle that. Any advice on where I should start?

>* 3) The roles and other claims need to passed back to the client applications
*>* using OIDC (I am aware that Bill is making some functionality available over
*>* the next few days and hopefully it will address my requirement)
*> >* Any suggestions on how I handle the first two?
*> >* Thanks,
*>* Raghu
*> > >* _______________________________________________
*>* keycloak-user mailing list
*>* keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*>* https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/18b5bf89/attachment-0001.html 


More information about the keycloak-user mailing list