I want to use keycloak to make our application work as a SAML service provider with an external Identity Provider.
I installed the latest keycloak not long ago, so its configuration will probably require further tweaking (and I definitely need further experience 
).
I managed to add the identity provider, and obtained the XML metadata from the “Export” tab in the provider configuration dashboard. However, when I submitted the XML to the people at the identity provider, they pointed out some issues:
-
they claim that
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>in our XML is outdated software and therefore a bit unusal these days. It is supported by them, but they suggest using something like<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>,<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>, or<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>: how do I change that? -
they asked us what attributes we need and in what format we expect them. We would need an email address and, optionally, a name for the user (but on the side of our application we could fill that with the email address). They suggested something like
FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241"orFriendlyName="email" Name="urn:oid:0.9.2342.19200300.100.1.3"would be preferable. How do I set it up? -
the XML does not show a certificate embedded. They asked if Keycloak cannot accept encrypted Assertions inbound, since that would be preferable as well. Again: how do I set this up?
-
Finally: is there a way to provide the Service Provider’s SAML metadata as a URL?
(Later on, I will need help to set the service up, but that deserves another post)