[keycloak-user] import SAML keys via command line
John Dennis
jdennis at redhat.com
Wed Sep 20 09:34:48 EDT 2017
On 09/20/2017 05:14 AM, Pieter Lukasse wrote:
> Hi John,
>
> thanks for your replies. I might have cause some confusion by not
> stating the question clearly. I did have a screenshot in my initial
> post, but this is apparently not allowed...so I will try with words :)
>
> I am referring to the process of importing SAML keys when you are using
> the Administration console (from your browser). Go to "Clients" menu
> item, select a SAML client, and then click on "SAML Keys" tab. There you
> can import the keys. Now I am looking for a command line alternative for
> this, so I don't have to use the web page.
O.K., keys used for SAML SP signing and encryption are a different
story. I can't tell you how Keycloak stores these internally nor should
you be dependent on whatever the current implementation. You mentioned a
JAVA keystore, but that's just one possibility, plus you would have to
know how Keycloak manages the key names (including key rotation).
You should stick to using Keycloaks defined interfaces. The standard way
SAML SP keys are imported to an IdP is by loading the SP's metadata
which contains the key(s). You can do this either with the Web UI, the
client registration protocol, or with the REST API. The later two can be
done from the command line if you have the proper tooling to communicate
with the Keycloak endpoints. I've written code that does exactly this.
Or you can use the REST API to update the client representation directly
in lieu of using metadata. The Keycloak team has done some work on
providing a command line administration tool but I'm not sure of the
status of that effort.
But one question I'm left with is why you're changing an SP keys so
often this is actually a burden. (Or similarly why you're not using
metadata).
--
John
More information about the keycloak-user
mailing list