New to keycloak - missing option for "SAML Metadata IDPSSODescriptor" on Installation page
2,025 views
Skip to first unread message
Joel McLean
Dec 16, 2019, 12:17:19 AM12/16/19
to Keycloak User
Hello Keycloak Community,
I'm messing around with Keycloak, trying to get it working in a proof-of-concept for a vmware vcloud director platform that I am playing with.
The process should be fairly straightforward, using Spring-saml, however (after some frustration) I've noticed that in my lab instance of Keycloak, I am missing the option "SAML Metadata IDPSSODescriptor" on the Installation page for the client.
I have the option SAML Metadata SPSSODescriptor, but this obviously has a very different function.
I freshly re-installed keycloak 8.0.1 to see if I'd somehow removed or locked out that option, but the option is missing on a fresh-to-death installation.
This is different from the options I've seen online in the few guides and information that's available: for example, I would expect to see:
So I'm wondering what option I am missing from my settings in Keycloak that is preventing me from having this option?
Thanks in advance for any guidance you can provide.
Joel McLean
Dec 16, 2019, 12:25:20 AM12/16/19
to Keycloak User
Here's some more information:
I've installed 8.0.1 standalone out of the box (literally download, unzip, configure the IP, execute)
In my "about keycloak" settings area, I noticed this:
client-installation
docker-v2-variable-override
keycloak-oidc-jboss-subsystem
keycloak-saml
docker-v2-registry-config-file
saml-sp-descriptor
keycloak-saml-subsystem
keycloak-oidc-keycloak-json
docker-v2-compose-yaml
mod-auth-mellon
Should I expect to see "saml-idp-descriptor" here?
Jan Garaj
Dec 16, 2019, 2:12:24 AM12/16/19
to Keycloak User
IDPSSODescriptor is a "variable" on the realm level, so you find it in the realm configuration (General tab). There is endpoint for that, because many SP support URL. But you still have option to save xml response from the endpoint to the file manually:
Joel McLean
Dec 16, 2019, 3:17:19 AM12/16/19
to Keycloak User
Thanks Jan,
I've taken a look at this endpoint file, and it seems to be very lightweight.
<EntityDescriptor entityID="{my_idp_realm_url}">
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:KeyName>{My_X509Key}</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<dsig:KeyInfo>
<dsig:KeyName>{My_X509Key}</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>
{My_X509Certificate}
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{my_idp_realm_url}/protocol/saml"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{my_idp_realm_url}/protocol/saml"/>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{my_idp_realm_url}/protocol/saml"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{my_idp_realm_url}/protocol/saml"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="{my_idp_realm_url}/protocol/saml"/>
</IDPSSODescriptor>
</EntityDescriptor>
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{my_idp_realm_url}/protocol/saml"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{my_idp_realm_url}/protocol/saml"/>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{my_idp_realm_url}/protocol/saml"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{my_idp_realm_url}/protocol/saml"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="{my_idp_realm_url}/protocol/saml"/>
</IDPSSODescriptor>
</EntityDescriptor>
The examples I've seen of Keycloak issuing this file data is generally more detailed.
Is there a reason that I'm missing the IDPSSO Descriptor? Or was that in a very old version of Keycloak?
Joel McLean
Dec 19, 2019, 11:07:31 PM12/19/19
to Keycloak User
I am really quite still stuck here.
I've tried using the jboss/keycloak docker image, and have not had any more success; I can get a very functional web interface, but missing the:
"Navigate to the Installation Tab and in the Format Option: select SAML Metadata IDPSSODescriptor, then copy or download the text that shows up in the dialog box"
Can anyone confirm has this option been removed?
The information provided at http://[myserver]:8080/auth/realms/[myrealm]/protocol/saml/descriptor just doesn't contain valid SAML Metadata.
I'm sure this is very basic stuff, but there's just nothing on the internet to suggest this was ever missing. Does this option exist for anyone else? If so, what version of keycloak are you running?
Bruno Oliveira
Dec 20, 2019, 5:15:05 AM12/20/19
to Joel McLean, Keycloak User
Hi Joel, I'm no SAML expert, but digging into the sources I could
noticed that this change was introduced in 6.0.0 release[1] and from
what I understood was to stay compliant with our OIDC well-know
endpoint.
You can also see all the changes here[2]. I hope it helps.
[1] - https://issues.redhat.com/browse/KEYCLOAK-3373
[2] - https://github.com/keycloak/keycloak/pull/5944
On 2019-12-19, Joel McLean wrote:
>I am really quite still stuck here.
>
>I've tried using the jboss/keycloak docker image, and have not had any more
>success; I can get a very functional web interface, but missing the:
>
>"Navigate to the *Installation Tab* and in the *Format Option*: select *SAML
>Metadata IDPSSODescriptor*, then copy or download the text that shows up in
>You received this message because you are subscribed to the Google Groups "Keycloak User" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
>To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/8c6a577a-0a98-4f88-9c99-441f34be3554%40googlegroups.com.
--
abstractj
noticed that this change was introduced in 6.0.0 release[1] and from
what I understood was to stay compliant with our OIDC well-know
endpoint.
You can also see all the changes here[2]. I hope it helps.
[1] - https://issues.redhat.com/browse/KEYCLOAK-3373
[2] - https://github.com/keycloak/keycloak/pull/5944
On 2019-12-19, Joel McLean wrote:
>I am really quite still stuck here.
>
>I've tried using the jboss/keycloak docker image, and have not had any more
>success; I can get a very functional web interface, but missing the:
>
>Metadata IDPSSODescriptor*, then copy or download the text that shows up in
>the dialog box"
>
>Can anyone confirm has this option been removed?
>
>The information provided at
>http://[myserver]:8080/auth/realms/[myrealm]/protocol/saml/descriptor just
>doesn't contain valid SAML Metadata.
>
>I'm sure this is very basic stuff, but there's just nothing on the internet
>to suggest this was ever missing. Does this option exist for anyone else?
>If so, what version of keycloak are you running?
>
>--
>
>Can anyone confirm has this option been removed?
>
>The information provided at
>http://[myserver]:8080/auth/realms/[myrealm]/protocol/saml/descriptor just
>doesn't contain valid SAML Metadata.
>
>I'm sure this is very basic stuff, but there's just nothing on the internet
>to suggest this was ever missing. Does this option exist for anyone else?
>If so, what version of keycloak are you running?
>
>You received this message because you are subscribed to the Google Groups "Keycloak User" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
>To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/8c6a577a-0a98-4f88-9c99-441f34be3554%40googlegroups.com.
--
abstractj
Jan Guznar
Aug 5, 2020, 9:02:17 AM8/5/20
to Keycloak User
Hi,
iam new in keycloak and SAML . I have fresh installation of keycloak 5.0.0 with one realm and one client. i need to joint keycloak as IdP to academic federation.
I can export SAML IDPSSODescriptor from client > installation. But i have to enrich xml with Organization / ContactPerson / Extensions tags. How can i
achieve this?
jan
Dne pátek 20. prosince 2019 v 11:15:05 UTC+1 uživatel Bruno Oliveira napsal:
Saa Koo
Aug 10, 2020, 12:44:51 PM8/10/20
to Keycloak User
Dear,
Did you manage to do this? i am also working on implementing KeyCloak for EDU federation and eduGAIN.
Best Regards,
Salko
Jan Guznar
Aug 10, 2020, 2:53:34 PM8/10/20
to Saa Koo, Keycloak User
Hi, no i'm stuck with this
Jan
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/Dzp47QZ6Cq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/ff981d05-b5d0-4ad4-b4c9-816f971fa832o%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages