Export SPSSODescriptor for Shibboleth


I am trying to configure my Keycloak 9.0.0 to get it up and running with our existing Identity Providers in our organization. Our organization is running a Shibboleth instance, which seems to be somehow federated / managed by a bigger organization (I have no chance to see the “real” responsibilities). They are asking for Metadata of our Keycloak instance to authorize it in Shibboleth. The metadata must provide information about the “SPSSODescriptor” and a Certificate, but I cannot find any publicly available route to provide them the metadata. I can only download the descriptor and send it via mail, but the import on their side requires a web url to import our Metadata.

So… In the documentation I can’t find any information about export routes on this case. Is there a route? Or do I need to download the XML and provide an NGINX, which solely serves this files?

Thanks for your help :slight_smile:

Try /auth/realms/<realm>/protocol/saml/descriptor.

Sorry to resurrect an old thread, but this question was closest to my issue. I, like @n2o am trying to get Keycloak metadata to our Shibboleth IDP. I found the export tab under “Identity Providers” as well as the url @jangaraj provided, but neither xml snippet has information about signing or encryption keys. Is there a way to get information about the keys in that SPSSODescriptor snippet?

EDIT: I’m running the latest jboss/keycloak container as of a few days ago, should be version 9.0.2

Do you see active rsa key in your realm configuration?

Yes, I do! I see three keys in my realm -> keys -> active configuration, one of which is the RSA key

Looks like if I select the following under Realm -> Identity Providers -> SAML Config:
Screen Shot 2020-04-23 at 3.07.14 PM
I get the signing and encryption keys in my SPSSODescriptor. Thanks for the help!

Thanks for your posts. I tried to select the same as you, but still no SPSSODescriptor is showing up in the the corresponding route /auth/realms/<realm>/protocol/saml/descriptor. Also, I have three active Keys, one of them is a RSA key… Still have no idea what is wrong with my configuration…

Oh, or I maybe misunderstood: In the export-Section there is the definition of the SPSSODescriptor, but it is missing under the link described above. But our company’s Shibboleth expects this XML to be accessible via a web server.

I faced the same issue. I found the URL in the Settings-tab of the Identity-provider (in the new versions of Keycloak the tab Export has disappeared :frowning: )
In the Settings-tab is a field called ‘Endpoints’, it contains ‘SAML 2.0 Service Provider Metadata’ which is a url: (https://[keycloak-base-url]/auth/realms/[realmname]/broker/saml/endpoint/descriptor).
I hope I can help someone with this info.


As casn be found on the official documentation [1], the SAML SP Desciptor URL for identity brokering is:

The broker alias name is part of the URL.
(Which makes it impossible to add keycloak as an SP to SAML federations, btw…)

[1] Server Administration Guide