[keycloak-user] Keycloak Saml Client ID

[John Dennis]

On 3/8/19 1:50 PM, Victor Alejo wrote:
> Hi,
> 
> I am integrating Keycloak with my service using a saml client but I got all
> the time *unknown login requester" *error.
> 
> My service:
> - Uses Saml 2.0
> - SSO URL pointing to:
> https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protocol/saml
> <https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml>
> 
> - Certificate X.509 Added Working.
> 
> *- Identity Provider Issuer:  This is the value we I know how to set. *
> 
> - The client_ID value in the saml client of Keycloak:
> 
> "Specified ID referrenced in URI and tokens. For example 'my-client'  This
> is also the expected issuer value from auth request"
> 
> Anyone knows what should be in this value and how to related to the
> Identity Provider Issuer?

It's not related. There are two parties involved, the IdP (i.e. 
Keycloak) and the SP (i.e. your client). Each must know about the other, 
typically this done through SAML metadata exchange but Keycloak allows 
you to manually add the client if you don't have metadata.

Each party is identified by something SAML calls the entityID, it *must* 
be a URN. You will find the entityID for the SP in the EntityDescriptor 
of the clients metadata and the entityID in the EntityDescriptor in your 
Keycloak's realm metadata. Keycloak's clientid *is* the SAML SP's 
entityID and appears in the authnRequest sent by your SP to Keycloak. 
What is sent by your SP as it's entityID *must* match the entityID (i.e. 
clientid) registered in your Keycloak realm. To find the IdP entity 
description register or create your SAML SP client in your realm and 
then click on the Installation tab, then select SAML Metadata 
IDPSSODescriptor as the format. You SP may need this metadata depending 
on the client. It just so happens that the issuer field in the realms 
OpenID Endpoint Configuration matches the SAML IDP entityID, but it's 
best to pull this value from the SAML IDP metadata.


-- 
John Dennis