Menu
I know in SAML protocol, IDP and SP they hold their own key pair, and will not expose their private key to each other.
I assume the realm key below is the IDP key pair, which make sense because private key is not exposed.
But when I turn on "Client Signature Required" in the client settings, the SAML key is generated and the private key is exposed? It means the IDP know the private key that will be used in SP application.
It doesn't make sense, there must be something I got it wrong. Can someone help clarify?
852
In the Name field type test_realm and click Create. In Keycloak SAML SPs are known as clients. To add the SP we must be in the Clients section of the realm. Click the Clients menu item on the left and click Create in the upper right corner to create a new client. Set the client protocol to SAML. From the Client Protocol drop down list, select saml.
Canonicalization method for XML signatures. Encrypt assertions in SAML documents with the realm’s private key. The AES algorithm is used with a key size of 128 bits. Expect that documents coming from a client are signed. Keycloak will validate this signature using the client public key or cert set up in the SAML Keys tab.
This value must match the issuer value sent with AuthNRequests. Keycloak will pull the issuer from the Authn SAML request and match it to a client by this value. This is the display name for the client whenever it is displayed in a Keycloak UI screen. You can localize the value of this field by setting up a replacement string value i.e. $ {myapp}.
In the case of JWT signed with a private key, Keycloak uses the realm private key. In the other cases, define a client secret. See the Client Authentication specifications for more information.
OK, I think I should know the answer.
My thought is correct, client SAML key is used to sign the SAML request, and realm key is used to sign the SAML response.
Client SAML private key should be kept in client's application side, the reason of why keycloak is keeping it, it is because keycloak provide "installation" function, it ease the user to download the adapter configuration.
If private key is not kept in keycloak then user has to input the key value themselves, it then may NOT be that convenient.
119
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
