[keycloak-user] Keycloak as an Identity Broker Encrypting SAML Assertions

Jason Spittel jasonspittel at yahoo.com
Tue Sep 12 16:34:08 EDT 2017


Hello,
I'm trying to integrate with InCommon federation, using Keycloak as an Identity Broker.
Workflow is JEE app <--> Keycloak Broker <--> InCommon IdP.
The problem is that InCommon requires SAML Assertion Encrypting. As far as I can see, in the Keycloak IdP setup, I can only set the signing for document.
Looking at this SPSSODescriptor from Keycloak:
<EntityDescriptor entityID="ENTITY_ID_FOR_IDP"><SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<KeyDescriptor use="signing">   <dsig:KeyInfo>        <dsig:KeyName>ASDFASDFASDF</dsig:KeyName>         <dsig:X509Data>              <dsig:X509Certificate>qwerqwerqwer</dsig:X509Certificate>        </dsig:X509Data>   </dsig:KeyInfo></KeyDescriptor>
........
</SPSSODescriptor>
</EntityDescriptor>

The KeyDescriptor is not for 'signing' and not for 'encrypting'. How do I set that flag?
Thanks,
Jason


More information about the keycloak-user mailing list