We want to create a testing environment with the following components:

• Identity provider would be Keycloak which will up and running on a CentOS machine. This is global instance for every developer.

• Service provider is a Spring boot application with SAML 2.0 extension.

Our goal is every developer should be able to start the application and his/her instance must use the single global Keycloak instance as Identity provider.

If you create a realms/client in Keycloak admin GUI, You must insert a just static IP for service provider. Does anybody know how we tackle that problem?

Hackish: you can use “fake” host name for service provider and each developer can point that fake name to his current instance IP via local host file.

But I would create selfservice on top of Keycloak admin rest API, which allows developers to copy/provision/update/deprovision own SAML/OIDC clients. They will have own freedom with dev clients and only prod clients will be managed by main IAM administrator.

Thank you very much for your response. I thought the product has some feature out of the box and with a little configuration it should be possible. I ll think about your second approach