I have noticed that the Realm settings include an XML entity descriptor of the SAML API that Keycloak exposes. But should there not be a descriptor for each SAML client defined in the server configuration? Or is there always exactly one for each realm?
Correct, there is one IDP descriptor per realm and one SP descriptor per client. Please keep in mind IDP descriptor != SP descriptor.
Thanks for the reply! Can you:
- Describe the difference between the two, or lead me to some documentation? What purpose does each of them serve?
- How do I obtain the SP descriptor in the Keycloak interface?