Hello,
I’m currently developing a Proof of Concept (PoC) demonstrating the use of Keycloak as both an Identity Provider (IdP) and a Service Provider (SP) for SAML authentication. The setup works well in my PoC, which is launched using Docker Compose. However, I’m facing an issue with the SAML certificates changing every time Keycloak restarts. This seems related to my container configuration in Docker Compose running on the host network.
As a Keycloak novice, beyond my PoC, I’m curious about how these certificates are defined and how this would work in a production environment. Specifically, I’m referring to the certificates found in the SAML descriptors, like: http://localhost:8082/realms/IdP_realm/protocol/saml/descriptor
I’ve tried generating certificates to add as HTTPS certificates, but it didn’t stop the SAML descriptor certificates from changing on restart.
Is there a way to import these certificates on startup for both IdP and SP, or to set them dynamically?
For reference, here is my current docker-compose file:
services:
keycloak-sp:
image: quay.io/keycloak/keycloak:22.0
container_name: keycloak-sp
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
- KC_HTTP_PORT=8081
- KC_HTTPS_PORT=8443
network_mode: host
command:
- start-dev --import-realm --log-level=DEBUG --https-certificate-file=/tmp/certs/keycloak-server.crt.pem --https-certificate-key-file=/tmp/certs/keycloak-server.key.pem
volumes:
- ./realms/internal.json:/opt/keycloak/data/import/internal.json
- ./realms/sp_with_idp.json:/opt/keycloak/data/import/sp.json
- ./certs:/tmp/certs
keycloak-idp:
image: quay.io/keycloak/keycloak:22.0
container_name: keycloak-idp
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
- KC_HTTP_PORT=8082
- KC_HTTPS_PORT=8444
network_mode: host
command:
- start-dev --import-realm --log-level=DEBUG --https-certificate-file=/tmp/certs/keycloak-server.crt.pem --https-certificate-key-file=/tmp/certs/keycloak-server.key.pem
volumes:
- ./realms/idp_with_sp_client.json:/opt/keycloak/data/import/idp.json
- ./certs:/tmp/certs