How to Set Static SAML Certificates for Docker Compose Setup

PabloLec · November 11, 2023, 10:12pm

Hello,

I’m currently developing a Proof of Concept (PoC) demonstrating the use of Keycloak as both an Identity Provider (IdP) and a Service Provider (SP) for SAML authentication. The setup works well in my PoC, which is launched using Docker Compose. However, I’m facing an issue with the SAML certificates changing every time Keycloak restarts. This seems related to my container configuration in Docker Compose running on the host network.

As a Keycloak novice, beyond my PoC, I’m curious about how these certificates are defined and how this would work in a production environment. Specifically, I’m referring to the certificates found in the SAML descriptors, like: http://localhost:8082/realms/IdP_realm/protocol/saml/descriptor

I’ve tried generating certificates to add as HTTPS certificates, but it didn’t stop the SAML descriptor certificates from changing on restart.

Is there a way to import these certificates on startup for both IdP and SP, or to set them dynamically?

For reference, here is my current docker-compose file:

services:
  keycloak-sp:
    image: quay.io/keycloak/keycloak:22.0
    container_name: keycloak-sp
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_HTTP_PORT=8081
      - KC_HTTPS_PORT=8443
    network_mode: host
    command:
      - start-dev --import-realm --log-level=DEBUG --https-certificate-file=/tmp/certs/keycloak-server.crt.pem --https-certificate-key-file=/tmp/certs/keycloak-server.key.pem
    volumes:
      - ./realms/internal.json:/opt/keycloak/data/import/internal.json
      - ./realms/sp_with_idp.json:/opt/keycloak/data/import/sp.json
      - ./certs:/tmp/certs

  keycloak-idp:
    image: quay.io/keycloak/keycloak:22.0
    container_name: keycloak-idp
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_HTTP_PORT=8082
      - KC_HTTPS_PORT=8444
    network_mode: host
    command:
      - start-dev --import-realm --log-level=DEBUG --https-certificate-file=/tmp/certs/keycloak-server.crt.pem --https-certificate-key-file=/tmp/certs/keycloak-server.key.pem
    volumes:
      - ./realms/idp_with_sp_client.json:/opt/keycloak/data/import/idp.json
      - ./certs:/tmp/certs

Topic		Replies	Views
SAML SP Signing Certificate Change to a Public Cert Configuring the server saml	0	398	November 12, 2020
Keycloak to simulate ADFS SAML IdP Securing applications saml	0	798	June 10, 2021
Setup a SAML service provider to work with an external Identity Provider Getting advice saml	0	766	October 15, 2020
SAML2.0 configuration Configuring the server authentication , saml	4	520	October 18, 2022
SSL errors trying to use Keycloak as a SAML IdP Configuring the server	8	2780	January 29, 2020

How to Set Static SAML Certificates for Docker Compose Setup

Related Topics