Integrating Keycloak with the InCommon Federation

We would like to use Keycloak with the InCommon Federation (Federation - InCommon), and by extension EduGain, to allow individuals from thousands of research institutions to log into sevices we provide with their institutional credentials, rather than having to create a special user account in Keycloak for each service. The whole purpose of the InCommon federation was to avoid having to do a many to many exchange of IdP and SP metadata. InCommon provides a metadata registry of validated Identity Providers (IdP) and Service Providers (SP) that can be used by applications for user authentication.

We got stymied with what appears to be a requirement to enter each individual institution as an IdP in Keycloak, which is a daunting task given that there are thousands of InCommon Federation participating institutions, and the list changes frequently. Is there a way that Keycloak could just use the InCommon registry of IdPs, instead of having to enter each individually?

Keycloak also seems to want to provide different SP metadata (different entity IDs, endpoints) for each of the IdPs. The InCommon Federation expects a single set of SP Metadata, registered with the InCommon Federation, that any IdP in the federation could then use to authenticate requests coming from the Keycloak SP. Is there a way to set up a single SP endpoint in a realm that any of the InCommon Federation participants could use?

It would be nice if Keycloak itself could communicate with Identity Federations such as InCommon for the list of possible IdPs (discovery), and answer to any of those IdP with a single SP service point in Keycloak. Any ideas on how to do this?

Take a look at how CERN integrates it’s indico instance with EduGain: They do use satosa as SAML gateway with IdP resolution in front of keycloak. [1]

Björn

[1] https://www.epj-conferences.org/articles/epjconf/pdf/2020/21/epjconf_chep2020_03012.pdf