12

I'm using Keycloak version 1.6.1, newly installed as a standalone application.

Keycloak should act as an IdP (Identity provider) for an SP (Service Provider) called Tableau.

I have read from this page: http://blog.keycloak.org/2015/03/picketlink-and-keycloak-projects-are.html

... Keycloak from being Identity Broker grew into being fully fledged Identity Provider

While it was an Identity Broker, it is now also an Identity Provider.

My question is then:

I have exported the SP XML Metadata from Tableau, which I imported into Keycloak, but when it comes to the export of the IdP XML Metadata from Keycloak (which should be imported into Tableau) I cannot find the button/command/guide anything about how to export this XML file.

I have worked with other IdPs and they all support this export of IdP Metadata which you can see an example of here: https://docs.oracle.com/cd/E19636-01/819-7664/g2enua/index.html

If I search for Keycloak and the keyword IDPSSODescriptor I find this: grepcode.com/file/repo1.maven.org/maven2/org.keycloak/keycloak-saml-protocol/1.1.0.Beta2/idp-metadata-template.xml

Which is exactly the 'template' I need, with the correct links on all ${idp.sso.HTTP-POST} etc. places.

Should I create the file manually - if so how do I find the correct POST, REDIRECT etc. URLs?

Or is there some way of exporting this file I haven't seen?

Simeon Leyzerzon
  • 18,658
  • 9
  • 54
  • 82
Fowler
  • 367
  • 1
  • 2
  • 7
  • Looks like they've changed the url a little bit: https://keycloack-url/realms/{REALM-NAME}/protocol/saml/descriptor – Chad Berkley Apr 18 '16 at 23:48

5 Answers5

23

Sometimes it's a good thing to specify in writing what you need - which I did here on Stack Overflow.

I found the URL to where on Keycloak one can export the IdP XML

https://keycloak-url/realms/{REALM-NAME}/protocol/saml/descriptor

That gave me the IDPSSODescriptor.

I'll leave this thread here, so people can benefit from my mistakes.

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
Fowler
  • 367
  • 1
  • 2
  • 7
  • 1
    I want to get IDP XML for each client in Keycloak. I have received the http://10.164.44.105:9992/auth/admin/realms/{realmid}/clients/{client id}/installation/providers/{provider id} link but dont know what will be provider id so please suggest. – Manish Jain Sep 30 '16 at 12:04
  • Is this URL in the document? I am coming from AD FS world and used to sharing URLs with auto-update enabled so config/certs get synced automatically. I'm still digging through the docs to see if Keycloak has this feature. – John G Feb 05 '21 at 06:04
23

Since Keycloak 3.x, IdP XML descriptor needs /auth/ after keycloak-url

https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor
seb54000
  • 231
  • 2
  • 4
6

The original poster is correct that the option SAML Metadata IDPSSODescriptor is no longer available on Keycloak 6.0.1

One change to make is when you use the URL https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor, Rancher expects the root element to be EntityDescriptor so you need to remove EntitiesDescriptor and copy the namespaces from the root element.

i.e.

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}">
  ....

</EntityDescriptor>
Sandeep Bangera
  • 91
  • 1
  • 3
0

In your realm click on 'Realm Settings' in the menu on the left. Under tab 'General' at 'endpoints' click on 'SAML 2.0 Identity Provider Metadata'. The IdP metadata will appear in a new browser tab.

ericj
  • 2,138
  • 27
  • 44
0

I want to just enhance the answer of @ericj. You just need to click on 'SAML 2.0 Identity Provider Metadata', once it is done it will be opened in new tab then you need to copy that url of new tab and go to your Service Provider and in import section put this url instead of importing file in .xml format. Your SP will take all necessary data from that url only. And its done.

rajkumar vishwakarma
  • 1
  • 4