[prev in list] [next in list] [prev in thread] [next in thread]
List: keycloak-dev
Subject: [keycloak-dev] Can KeyCloak support Multi-lateral SAML federation?
From: Chris.Phillips () canarie ! ca (Chris Phillips)
Date: 2018-09-10 14:55:40
Message-ID: F365057E-04C2-4A26-AFAA-F9FEE43A51FE () canarie ! ca
[Download RAW message or body]
Hi.
I sent this to the Users list and have had zero response. Re-sending here on the dev \
list hoping to hear feedback and thoughts from Keycloak Devs on my questions around \
KeyCloak's ability to support multi-lateral federation and if it is on the roadmap.
Thanks and look forward to thoughts and comments..
Chris.
?On 2018-08-30, 4:06 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Chris \
Phillips" <keycloak-user-bounces at lists.jboss.org on behalf of Chris.Phillips at \
canarie.ca> wrote:
Hi.
I?m going through assessing KeyCloak as being able to be an Identity Provider in \
a multi-lateral SAML federation context and am seeking insight from the users and \
devs involved in KeyCloak.
For an IdP to be considered interoperable in a multi-lateral SAML trust \
federation context, IdPs need to be able to do a base set of functions. These are \
some of the critical (but not only) ones:
* Retrieve, with a configurable frequency (usually hourly), an online \
metadata aggregate
* validate the signature on the aggregate
* when signature validity is verified, load all the entities (Identity \
Providers/Service Providers) to be trusted or used in trust decisions in the Identity \
Provider.
I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be \
missing something.
Is anyone using KeyCloak in this manner or are there plans for this functionality \
on KeyCloak?s technical roadmap?
Some additional items to decorate my ask for information..
To give an idea of scale, the aggregates I want to work with have ~4500 entities \
with 2800 IdPs and 2100 SPs and need to be refreshed hourly.
The list of items important for interoperability can be seen here with the ones I \
called out above appearing in section 2.2.1: \
https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
I?ve searched the keycloak-users list a bit and came across the reference to \
EntitiesDescriptor which lead me to this issue and code update in KeyCloak: \
https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the \
support for reading in aggregates is not possible and maybe engineered out of the \
product itself. Am I right in thinking that?
Thoughts and insights welcome..
Chris.
___________________________________________________________________________________________
Chris Phillips
Technical Architect, Canadian Access Federation, CANARIE| chris.phillips at \
canarie.ca<mailto:chris.phillips at canarie.ca> |GPG: 0x7F6245580380811D
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic