I want to use keycloak to make our application work as a SAML service provider with an external Identity Provider.
I installed the latest keycloak not long ago, so its configuration will probably require further tweaking (and I definitely need further experience ).
I managed to add the identity provider, and obtained the XML metadata from the “Export” tab in the provider configuration dashboard. However, when I submitted the XML to the people at the identity provider, they pointed out some issues:
they claim that
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>in our XML is outdated software and therefore a bit unusal these days. It is supported by them, but they suggest using something like
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>: how do I change that?
they asked us what attributes we need and in what format we expect them. We would need an email address and, optionally, a name for the user (but on the side of our application we could fill that with the email address). They suggested something like
FriendlyName="email" Name="urn:oid:0.9.2342.19200300.100.1.3"would be preferable. How do I set it up?
the XML does not show a certificate embedded. They asked if Keycloak cannot accept encrypted Assertions inbound, since that would be preferable as well. Again: how do I set this up?
Finally: is there a way to provide the Service Provider’s SAML metadata as a URL?
(Later on, I will need help to set the service up, but that deserves another post)