[keycloak-user] Key Rotation for SAML client

Muein Muzamil shmuein+keycloak-dev at gmail.com
Thu Jun 1 09:13:35 EDT 2017


Thanks for your response, our SAML clients are mostly third-party SaaS
services like Salesforce, AWS, Office 365 etc. So they won't be using the
KeyCloak adapters.

Maybe I was not clear in my question, the scenario is that for a realm we
already have  50+ SAML clients configured, now if we decide to update the
realm, my understanding is that SAML authentication will start failing for
end users unless as admin I go and update the certificates on all of those
service provider settings. In case you have 2,3 client, it is probably
still possible to go and manually update those certificates without
impacting end users. But for 50+ applications, it is not humanly possible
to update certificates for all SPs at the same moment to avoid impact on
end users.

Ideally, there should be a mechanism, to support both old and new
certificates at the same time for some grace period, so that customers can
update configuration for SPs during that period. I am not sure if SAML
protocol supports anything to facilitate this but we can imagine having a
client property to mention which key to use. So until admin updates
certificate on the Service provider side, he can still use the old key.
Does it make sense?

Regards,
Muein

On Thu, Jun 1, 2017 at 1:16 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> If the clients are using Keycloak adapters, see [1]. Other clients can
> use standard SAML descriptor available at
> server-root/auth/realms/{realm}/protocol/saml/descriptor, see [2].
>
> [1] https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/saml/java/general-config/idp_keys_subelement.html
> [2] https://keycloak.gitbooks.io/documentation/server_admin/
> topics/clients/saml/entity-descriptors.html
>
> On Tue, May 30, 2017 at 9:55 PM, Muein Muzamil
> <shmuein+keycloak-dev at gmail.com> wrote:
> > Hi all,
> >
> > We have a business use case, where we'll have a realm with 50+ SAML
> clients
> > configured and we want to update the SAML key for the realm (either for
> > security reason or the certificate got expired),
> >
> > I was reading following section but it seems mostly focused on OIDC.Can
> > someone please share how does KeyCloak handle this for SAML? Important
> > thing to realize is, we cannot imagine our customer to update realm
> > certificate in all 50+ service providers at the same time.
> > https://keycloak.gitbooks.io/documentation/server_admin/
> topics/realms/keys.html
> >
> > Regards,
> > Muein
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>


More information about the keycloak-user mailing list