Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Keycloak IdP SAML 2 Export of XML metdata to an SP

Tags:

keycloak

saml-2.0

tableau-api

I'm using Keycloak version 1.6.1, newly installed as a standalone application.

Keycloak should act as an IdP (Identity provider) for an SP (Service Provider) called Tableau.

I have read from this page: http://blog.keycloak.org/2015/03/picketlink-and-keycloak-projects-are.html

... Keycloak from being Identity Broker grew into being fully fledged Identity Provider

While it was an Identity Broker, it is now also an Identity Provider.

My question is then:

I have exported the SP XML Metadata from Tableau, which I imported into Keycloak, but when it comes to the export of the IdP XML Metadata from Keycloak (which should be imported into Tableau) I cannot find the button/command/guide anything about how to export this XML file.

I have worked with other IdPs and they all support this export of IdP Metadata which you can see an example of here: https://docs.oracle.com/cd/E19636-01/819-7664/g2enua/index.html

If I search for Keycloak and the keyword IDPSSODescriptor I find this: grepcode.com/file/repo1.maven.org/maven2/org.keycloak/keycloak-saml-protocol/1.1.0.Beta2/idp-metadata-template.xml

Which is exactly the 'template' I need, with the correct links on all ${idp.sso.HTTP-POST} etc. places.

Should I create the file manually - if so how do I find the correct POST, REDIRECT etc. URLs?

Or is there some way of exporting this file I haven't seen?

like image 584
Fowler Avatar asked Nov 05 '15 10:11

Fowler

2 Answers

Since Keycloak 3.x, IdP XML descriptor needs /auth/ after keycloak-url

https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor
like image 185
seb54000 Avatar answered Oct 04 '22 01:10

seb54000

The original poster is correct that the option SAML Metadata IDPSSODescriptor is no longer available on Keycloak 6.0.1

One change to make is when you use the URL https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor, Rancher expects the root element to be EntityDescriptor so you need to remove EntitiesDescriptor and copy the namespaces from the root element.

i.e.

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}">
  ....

</EntityDescriptor>
like image 26
Sandeep Bangera Avatar answered Oct 04 '22 01:10

Sandeep Bangera
Sign in to Comment

Related questions

spring saml: How is LOGOUT handled? Is it mandatory to have logout endpoint in IDP metadata xml?
How to verify a SAML signature for HTTP-redirect binding
HttpSession returned null object for SPRING_SECURITY_CONTEXT
InvalidNameIDPolicy working with ADFS
SAML based SSO with Laravel
How to add new idp metadata in spring-SAML at runtime
"HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid" with Salesforce as IdP for implementating SSO
Setting up SAML callback in Rails using Devise and OmniAuth-SAML
How to verify an X509Certificate2 against an X509Certificate2Collection chain
Recipient vs Audience in SAML 2.0
SSL configuration issue with Spring-SAML
SAML for Native Mobile Apps(Android and IOS)
Steps to implement SSO for php application
SAML Signing Certificate - Which SSL Certificate Type?
Consume SAMLResponse Token
How to create a self-signed x509 certificate with both private and public keys?
How to use opensaml v3? There is little to no documentation and v2 is EOL
Can I provide the username to use in a SAML request? (AD FS)
Spring SAML Sample application returns Could not initialize class org.apache.commons.ssl.TrustMaterial
Decrypting encrypted assertion using SAML 2.0 in java using OpenSAML

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!