Add extensions to SAML metadata exported by Keycloak

288 views
Skip to first unread message

ΚΩΝΣΤΑΝΤΙΝΟΣ ΓΕΩΡΓΙΛΑΚΗΣ

unread,
Oct 29, 2020, 3:31:07 AM10/29/20
to Keycloak Dev

Once a SAML Identity Provider is created, its SP metadata is available publicly by going to the following URL: http[s]://{host:port}/auth/realms/{realm-name}/broker/{broker-alias}/endpoint/descriptor. However, according to the Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 and its extensions, some fields are missing from the exported xml. 

We briefly mention the information which is not exported below.

  • md:EntityDescriptor

    • md:Extensions

      • mdattr:EntityAttributes

        • saml:Attribute

      • mdrpi:RegistrationInfo: 

        • RegistrationAuthority

        • RegistrationPolicy

  • md:SPSSODescriptor

    • md:Extensions

      •  mdui:UIInfo

        • mdui:DisplayName

        • mdui:Description

        • mdui:InformationURL

        • mdui:PrivacyStatementURL

        • mdui:Logo

    • md:AttributeConsumingService

      • md:ServiceName

      • md:ServiceDescription

      • md:RequestedAttribute

    • md:Organization

      • md:OrganizationName

      • md:OrganizationDisplayName

      • md:OrganizationURL

    • md:ContactPerson

      • md:Surname

      • md:EmailAddress

The metadata described below is common across all Identity Providers with the exception of the requestAttributes which may be customized for a given Identity Provider (Attribute Importer SAML Identity Provider Mapper) . We envision that this metadata will be configured per realm in a separate tab of the realm configuration panel. For every Identity Provider, the Keycloak SP Descriptor will include this additional information. 

We make the assumption for now that the language tag is the realm‘s default locale if it exists. Otherwise, the locale is “en”.

What do you believe?

We have opened Jira issue https://issues.redhat.com/browse/KEYCLOAK-16014.

Reply all
Reply to author
Forward
0 new messages