Hello everyone,
I have a question regarding the SAML signing key and certificate.
My setup:
Keycloak running behind NGINX reverse proxy. Certbot manages Letsencrypt certificates for the SSL termination. Proxy mode is set to edge.
So the frontend cert will be rotated regularly.
Now my SAML desrciptor presents the default certificate for the realm which obviously does not match with the letsencrypt certificate. This causes issues in AWS identity management, as there the certificate will be imported based on the SAML descriptor.
Is there a working solution for reversy proxy setups where Keycloak will present the frontend cert for SAML signing to the client? However, will I still have to rotate certificates in AWS all the time? And also on the other clients? This does not seem very manageable with 50+ clients/applications.