I started this playground project because I had a few problems configuring SAML2 with Keycloak and Spring Security SAML 2.0. Thomas Darimonts article How to secure a Spring Boot app with SAML and Keycloak and the corresponding spring-boot-security-saml-sample helped me a lot to get started.
- keycloak-saml-1-legacy (this basically is Thomas Darimonts spring-boot-security-saml-sample)
- keycloak-saml-2-only-application-properties
- keycloak-saml-3-only-java-config
- keycloak-saml-4-with-metadata-reloading
- keycloak-saml-5-with-bootiful-metadata-reloading
- keycloak-saml-6-with-metadata-caching-and-reloading
- Realm export (realm-export.json)
- Signing Key (X509 Certificate, X509 Private Key, JKS Keystore, P12 Keystore)
- Encryption Key (X509 Certificate, X509 Private Key, JKS Keystore, P12 Keystore)
- docker-compose up
- Import realm
- Create user in
DemoRealm
- Start example
- Login
They are configurable, but currently the registrationId
needs to be part of the URL.
- http://localhost:8080/saml/metadata
Default if legacy library is used (example 1)
- http://localhost:8080/saml2/service-provider-metadata/demo-saml-client
DEFAULT (example 3)
- http://localhost:8080/saml/metadata
HACK (example 4)
- http://localhost:8080/saml/metadata/demo-saml-client
ADJUSTED (example 5 and 6)
In a Keycloak SAML client configuration it is possible to manage signing
and encryption
keys.
Keycloak does not need to know the signing an encryption private keys.
It is possible to Generate new keys
, Import
and Export
keys.
If you generate new keys, keycloak stores both, the public and the private key, so that you can later export it as either JKS or PKCS12 keystore.
If you import existing keystores, only the public key will be stored.
This key has to be configured if Client Signature Required
is true
.
The client uses the private key to sign a SAML-Request and Keycloak uses the public key to verify it.
Keycloak does not need to know the private key.
This key has to be configured if Encrypt Assertions
is true
.
Keycloak encrypts the SAML-Assertion with the clients public key, and the client uses its private key to decrypt the SAML-Assertion.
Keycloak does not need to know the private key.