[keycloak-user] Fwd: Keycloak service provider Metadata support for SAML support
Arulkumar Ponnusamy
parul.com at gmail.com
Mon Nov 30 11:20:33 EST 2015
Hi Bill,
Thanks for the reply. I am not referring about generating SP entity
descriptor. I have Entity descriptor and want to use entity descriptor with
keycloak SAML SP. I have attached the sample piketlink-SP metadata for
reference.
I picketlink, we have picketlink.xml, where we can tell the service
provider to read IDP entity descriptor from file. Example as below
<MetaDataProvider
ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
<Option Key="FileName"
Value="/WEB-INF/classes/idp-metadata.xml"/>
</MetaDataProvider>
However, when I looked at our Keycloak SAML configuration
schema(keycloak_saml_adapter_1_6.xsd) I don't see any such elements where
we can tell the SP to read the IDP entity data from IDP metadata.
On Mon, Nov 30, 2015 at 9:03 PM, Bill Burke <bburke at redhat.com> wrote:
> Keycloak SP does not generate an entity descriptor. I don't believe
> Picketlink SP does either.
>
> Our examples are derived from PL quickstarts. Honestly I don't see much
> difference between the PL ones and ours. The PL ones use PL IDP, the
> Keycloak ones use Keycloak IDP. The PL quickstarts don't go into much
> detail either other than how to run the example.
>
> On 11/30/2015 10:03 AM, Arulkumar Ponnusamy wrote:
>
>> Hi Bill,
>> Do you have any update on this?
>>
>> On Mon, Nov 30, 2015 at 2:39 PM, Stian Thorgersen <sthorger at redhat.com
>> <mailto:sthorger at redhat.com>> wrote:
>>
>> Bill - is there a way to get the entity descriptor for an
>> application using the Keycloak SP adapter? To then import into
>> PicketLink.
>>
>> On 30 November 2015 at 09:47, Arulkumar Ponnusamy
>> <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>>
>> Hi Stian,
>> Yes clients from entity descriptors. i don't understand import
>> the file part. Where to import the file? I have both
>> IDP(picketlink) and SP(keycloak) under my web-INF file. but, i
>> don't see any SAML communication between SP and IDP happening.
>>
>> I am new to SAML and for beginner,picketlink has so many example
>> for both IDP and SP which is awesome and gives clear picture of
>> whats need to be done. But, Those example are missing for
>> keycloak SAML Service provide. only three example are for
>> keycloak and that too some how not detailed.
>>
>>
>>
>> On Mon, Nov 30, 2015 at 1:07 PM, Stian Thorgersen
>> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>> Are you asking if Keycloak can create clients from entity
>> descriptors, then yes. Create client and import the file.
>>
>> On 30 November 2015 at 05:02, Arulkumar Ponnusamy
>> <parul.com at gmail.com <mailto:parul.com at gmail.com>> wrote:
>>
>> Hi All,
>> Does keycloak service provider support with metadata ? I
>> don't find any reference document on this for keycloak.
>> There is no adapter which talk about metadata. Even I
>> looked at the examples, and there are three examples
>> which talk about POST, REDIRECT and encryption.
>>
>> Any reference document on Keycloak SAML Service provider
>> Metadata?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151130/037e135b/attachment.html
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor Name="urn:mace:shibboleth:testshib:two"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
>
<EntityDescriptor entityID="http://localhost:8080/sales-metadata/">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/sales-metadata/"
index="1" isDefault="true" />
<KeyDescriptor>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
$x509certificate.data
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
$x509certificate.data
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
</SPSSODescriptor>
<Organization>
<OrganizationName xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xml:lang="en">JBoss</OrganizationName>
<OrganizationDisplayName xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xml:lang="en">JBoss by Red Hat</OrganizationDisplayName>
<OrganizationURL xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xml:lang="en">http://localhost:8080/sales-metadata/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>The</GivenName>
<SurName>Admin</SurName>
<EmailAddress>admin at mycompany.com</EmailAddress>
</ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>
More information about the keycloak-user
mailing list