Multiple SAML signing/encrypting certificates
74 views
Skip to first unread message
Francis Augusto Medeiros-Logeay
Oct 10, 2025, 12:31:41 PM (6 days ago) Oct 10
to 'Alexander Schwartz' via Keycloak User
Hi,
We use Keycloak as an IdP (CPT) for ADFS.
ADFS has a rollover procedure for certificates in which, when they generate a new certificate, they will use the older one for a grace period, and then switch to the new one. Both are included on the metadata.
Does Keycloak support importing those two certificates, in order to minimize downtime when ADFS starts using the new certificate to sign assertions?
I tried today to add both in a pem and import it to keycloak, but didn’t seem to work…
Best,
Francis
We use Keycloak as an IdP (CPT) for ADFS.
ADFS has a rollover procedure for certificates in which, when they generate a new certificate, they will use the older one for a grace period, and then switch to the new one. Both are included on the metadata.
Does Keycloak support importing those two certificates, in order to minimize downtime when ADFS starts using the new certificate to sign assertions?
I tried today to add both in a pem and import it to keycloak, but didn’t seem to work…
Best,
Francis
Francis Augusto Medeiros-Logeay
Oct 12, 2025, 8:58:14 AM (4 days ago) Oct 12
to 'Alexander Schwartz' via Keycloak User
Very good tip Joakim!
Thanks a lot for pointing that out!
__
Francis Augusto Medeiros-Logeay
Oslo, Norway
Sent from a mobile device / Enviado a partir de dispositivo móvel
On 11 Oct 2025, at 10:26, Joakim Westlund <jocke.w...@gmail.com> wrote:
Have s look atAutomatic certificate management for SAML clientsHopefully that will solve certificate handling with ADFS.
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/440F6796-4E23-414D-B50F-B55CDC2FE62F%40med-lo.eu.
Alexander Schwartz
Oct 15, 2025, 3:12:08 PM (yesterday) Oct 15
to Francis Augusto Medeiros-Logeay, 'Alexander Schwartz' via Keycloak User
Hi Francis,
Keycloak 26.4 adds support for downloading keys from a metadata descriptor URL. See https://www.keycloak.org/docs/latest/release_notes/index.html#automatic-certificate-management-for-saml-clients for the announcement. So if the data from ADFS is available via such an endpoint, could give it a try.
Best,
Alxander
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/440F6796-4E23-414D-B50F-B55CDC2FE62F%40med-lo.eu.
Alexander Schwartz, RHCE
He/Him
Principal Software Engineer, Keycloak Maintainer
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
Francis Augusto Medeiros-Logeay
5:46 AM (9 hours ago) 5:46 AM
to Alexander Schwartz, 'Alexander Schwartz' via Keycloak User
Thanks Alexander. Indeed, someone earlier pointed that out. So happy this feature was introduced, right when we needed it the most :)
Best,
Francis
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/CAA6cDEKjjsrwJ0rBdK12jHi_JMLH1%2BE3V_XgHpv%2B57q6Xe%3Dznw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages