[keycloak-user] Differences between SAML descriptors

John Dennis jdennis at redhat.com
Sat Feb 4 11:41:40 EST 2017


On 02/03/2017 03:23 PM, Muein Muzamil wrote:
> Hi All,
>
> Currently, KeyCloak supports two mechanisms to download SAML metadata.
>
> One is using this public URL
> <root>/auth/realms/{realm}/protocol/saml/descriptor.
> The Second option is to download it from the installation tab of the client
> or using this API /admin/realms/{realm}/clients/
> {id}/installation/providers/{providerId}
>
> It seems that there are some differences between them. Especially the first
> option returns you metadata with an extra <EntitiesDescriptor> tag. Such as
>
> <EntitiesDescriptor Name="urn:keycloak"
> xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
> <EntityDescriptor entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y
> ">
> .........
> </EntityDescriptor>
> </EntitiesDescriptor>

If the SP is unable to parse SP metadata containing an 
EntitiesDescriptor in addtion to an EntityDescriptor then the SP is at 
fault. All the EntitiesDescriptor is is a container for multiple 
EntityDescriptor elements, it is perfectly permissible to have a 
container contain only 1 element just as it's acceptable to omit the 
container and have a bare element.

If your SP cannot parse a metadata file containing a EntitiesDescriptor 
tag it's easy to strip it off the xml with a text editor.

Irrespective of the SP's ability to parse metadata containing an 
EntitiesDescriptor element is the requirement stated in Section 4.1.1 of 
the SAML Metadata spec which requires metadata published at the IdP's 
well known location for metadata retrieval to contain *only* a 
EntityDescriptor as the root element. Since 
<root>/auth/realms/{realm}/protocol/saml/descriptor is as close as 
Keycloak gets to published well known location for IdP metadata 
retrieval the use of a EntitiesDescriptor violates the SAML spec. I 
don't believe there is JIRA filed for this yet. However, I emphasize 
this is independent of the SP's ability ability to parse the IdP 
metadata because it does not know where the IdP metadata originated 
from. It should iterate over all the EntityDescriptor's looking for an 
IDPSSODescriptor and then if it wants to confirm exactly one was found 
(or it could just load all of them, depends on the SP).

> When we try to upload this metadata (downloaded from the public URL) to
> PingOne, it doesn't like it (metadata from installation tab works fine).

There are other inconsistencies in the IdP metadata depending on how 
it's retrieved from Keycloak aside from the EntitiesDescriptor tag. The 
inconsistent IdP metadata is a known problem and has been reported in 
this JIRA:

https://issues.jboss.org/browse/KEYCLOAK-3373

> Is there any reason for this?

Any reason for the inconsistencies, no.

-- 
John


More information about the keycloak-user mailing list