Setup a SAML service provider to work with an external Identity Provider

I want to use keycloak to make our application work as a SAML service provider with an external Identity Provider.

I installed the latest keycloak not long ago, so its configuration will probably require further tweaking (and I definitely need further experience :wink:).

I managed to add the identity provider, and obtained the XML metadata from the “Export” tab in the provider configuration dashboard. However, when I submitted the XML to the people at the identity provider, they pointed out some issues:

  1. they claim that <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat> in our XML is outdated software and therefore a bit unusal these days. It is supported by them, but they suggest using something like <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>, <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>, or <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>: how do I change that?

  2. they asked us what attributes we need and in what format we expect them. We would need an email address and, optionally, a name for the user (but on the side of our application we could fill that with the email address). They suggested something like FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" or FriendlyName="email" Name="urn:oid:0.9.2342.19200300.100.1.3" would be preferable. How do I set it up?

  3. the XML does not show a certificate embedded. They asked if Keycloak cannot accept encrypted Assertions inbound, since that would be preferable as well. Again: how do I set this up?

  4. Finally: is there a way to provide the Service Provider’s SAML metadata as a URL?

(Later on, I will need help to set the service up, but that deserves another post)