[keycloak-user] Differences between SAML descriptors
Muein Muzamil
shmuein+keycloak-dev at gmail.com
Fri Feb 3 15:23:28 EST 2017
Hi All,
Currently, KeyCloak supports two mechanisms to download SAML metadata.
One is using this public URL
<root>/auth/realms/{realm}/protocol/saml/descriptor.
The Second option is to download it from the installation tab of the client
or using this API /admin/realms/{realm}/clients/
{id}/installation/providers/{providerId}
It seems that there are some differences between them. Especially the first
option returns you metadata with an extra <EntitiesDescriptor> tag. Such as
<EntitiesDescriptor Name="urn:keycloak"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<EntityDescriptor entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y
">
.........
</EntityDescriptor>
</EntitiesDescriptor>
When we try to upload this metadata (downloaded from the public URL) to
PingOne, it doesn't like it (metadata from installation tab works fine). Is
there any reason for this?
Regards,
Muein
More information about the keycloak-user
mailing list