I am trying to configure my Keycloak 9.0.0 to get it up and running with our existing Identity Providers in our organization. Our organization is running a Shibboleth instance, which seems to be somehow federated / managed by a bigger organization (I have no chance to see the “real” responsibilities). They are asking for Metadata of our Keycloak instance to authorize it in Shibboleth. The metadata must provide information about the “SPSSODescriptor” and a Certificate, but I cannot find any publicly available route to provide them the metadata. I can only download the descriptor and send it via mail, but the import on their side requires a web url to import our Metadata.
So… In the documentation I can’t find any information about export routes on this case. Is there a route? Or do I need to download the XML and provide an NGINX, which solely serves this files?
Sorry to resurrect an old thread, but this question was closest to my issue. I, like @n2o am trying to get Keycloak metadata to our Shibboleth IDP. I found the export tab under “Identity Providers” as well as the url @jangaraj provided, but neither xml snippet has information about signing or encryption keys. Is there a way to get information about the keys in that SPSSODescriptor snippet?
EDIT: I’m running the latest jboss/keycloak container as of a few days ago, should be version 9.0.2
Looks like if I select the following under Realm → Identity Providers → SAML Config:
I get the signing and encryption keys in my SPSSODescriptor. Thanks for the help!
Thanks for your posts. I tried to select the same as you, but still no SPSSODescriptor is showing up in the the corresponding route /auth/realms/<realm>/protocol/saml/descriptor. Also, I have three active Keys, one of them is a RSA key… Still have no idea what is wrong with my configuration…
Oh, or I maybe misunderstood: In the export-Section there is the definition of the SPSSODescriptor, but it is missing under the link described above. But our company’s Shibboleth expects this XML to be accessible via a web server.
I faced the same issue. I found the URL in the Settings-tab of the Identity-provider (in the new versions of Keycloak the tab Export has disappeared )
In the Settings-tab is a field called ‘Endpoints’, it contains ‘SAML 2.0 Service Provider Metadata’ which is a url: (https://[keycloak-base-url]/auth/realms/[realmname]/broker/saml/endpoint/descriptor).
I hope I can help someone with this info.
As casn be found on the official documentation [1], the SAML SP Desciptor URL for identity brokering is:
/auth/realms/{realm-name}/broker/{broker-alias}/endpoint/descriptor
The broker alias name is part of the URL.
(Which makes it impossible to add keycloak as an SP to SAML federations, btw…)
)