[keycloak-user] Key Rotation for SAML client

Bill Burke bburke at redhat.com
Thu Jun 1 11:08:11 EDT 2017


I'll bring this discussion to keycloak-dev, but we should probably 
expand on centralized adapter management in the admin console and have 
apps download their configuration from the realm at boot time.


On 6/1/17 9:13 AM, Muein Muzamil wrote:
> Thanks for your response, our SAML clients are mostly third-party SaaS
> services like Salesforce, AWS, Office 365 etc. So they won't be using the
> KeyCloak adapters.
>
> Maybe I was not clear in my question, the scenario is that for a realm we
> already have  50+ SAML clients configured, now if we decide to update the
> realm, my understanding is that SAML authentication will start failing for
> end users unless as admin I go and update the certificates on all of those
> service provider settings. In case you have 2,3 client, it is probably
> still possible to go and manually update those certificates without
> impacting end users. But for 50+ applications, it is not humanly possible
> to update certificates for all SPs at the same moment to avoid impact on
> end users.
>
> Ideally, there should be a mechanism, to support both old and new
> certificates at the same time for some grace period, so that customers can
> update configuration for SPs during that period. I am not sure if SAML
> protocol supports anything to facilitate this but we can imagine having a
> client property to mention which key to use. So until admin updates
> certificate on the Service provider side, he can still use the old key.
> Does it make sense?
>
> Regards,
> Muein
>
> On Thu, Jun 1, 2017 at 1:16 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>
>> If the clients are using Keycloak adapters, see [1]. Other clients can
>> use standard SAML descriptor available at
>> server-root/auth/realms/{realm}/protocol/saml/descriptor, see [2].
>>
>> [1] https://keycloak.gitbooks.io/documentation/securing_apps/
>> topics/saml/java/general-config/idp_keys_subelement.html
>> [2] https://keycloak.gitbooks.io/documentation/server_admin/
>> topics/clients/saml/entity-descriptors.html
>>
>> On Tue, May 30, 2017 at 9:55 PM, Muein Muzamil
>> <shmuein+keycloak-dev at gmail.com> wrote:
>>> Hi all,
>>>
>>> We have a business use case, where we'll have a realm with 50+ SAML
>> clients
>>> configured and we want to update the SAML key for the realm (either for
>>> security reason or the certificate got expired),
>>>
>>> I was reading following section but it seems mostly focused on OIDC.Can
>>> someone please share how does KeyCloak handle this for SAML? Important
>>> thing to realize is, we cannot imagine our customer to update realm
>>> certificate in all 50+ service providers at the same time.
>>> https://keycloak.gitbooks.io/documentation/server_admin/
>> topics/realms/keys.html
>>> Regards,
>>> Muein
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>>
>> --Hynek
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list