SAML client certificates expiration check


I would like to check on each realm if there are SAML clients and for each of them I would like to check if the certificate is valid or not. If its not valid or about to expire, I would like to send a notification by email.

Do you know if there is a feature like this on Keycloak ? I noticed we can use keycloak API to do this.
Is there a way to add this feature on Keycloak admin console ?

Thanks for your help
Best regards

That feature does not exist in current Keycloak. I would use Admin REST API to dump all clients (per realm) and then inspect their SAML encryption/sign certs in your favorite language.

Of course you can take it seriously and you can make a proper contribution to the Keycloak. That will need better initial discussion about design and features. E. g. who will be notified, why only by email, how often it will be executed,…


Thanks for your reply
Yes I used also Admin REST API to do this and it works fine
But I think it would be interesting to add this feature on Keycloak admin console (or I can do by myself but I don’t know exactly how to do this properly - if you have any resources I can read to start this feature, please tell me)
Do you know how to start a discussion with keycloak about the design of this feature ?
To answer your question

  • Who will be notified ? => we can set a mailing list email address so that only keycloak admins can know if there are certificates which will expire soon and then they can renew the certificate or delete the client if it’s not used any more.
  • Why only by email ? => we can also add an event on the keycloak admin console. I noticed we can log events and display them on the admin console. I don’t know if it’s a good use case or not
  • How often will it be executed ? => by default, it’s not executed. We can activate this job from the first SAML client creation on any realm of a Keycloak environment. By default, it will be executed once per month. We can set the periodicity if we want to (once per day, week, …, it depends on the number of SAML clients)
    If you have other ideas / suggestions, please tell me

Best regards

I would use GitHub discussion Discussions · keycloak/keycloak · GitHub

Thanks a lot for your help !
I am going to start a new discussion on Github