Keycloak IdP SAML 2 Export of XML metdata to an SP

Question

I\'m using Keycloak version 1.6.1, newly installed as a standalone application.

Keycloak should act as an IdP (Identity provider) for an SP (Service Provider) called Tab

Answer 1

Since Keycloak 3.x, IdP XML descriptor needs /auth/ after keycloak-url

https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor

Answer 2

The original poster is correct that the option SAML Metadata IDPSSODescriptor is no longer available on Keycloak 6.0.1

One change to make is when you use the URL https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}/protocol/saml/descriptor, Rancher expects the root element to be EntityDescriptor so you need to remove EntitiesDescriptor and copy the namespaces from the root element.

i.e.

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://{KEYCLOAK-URL}/auth/realms/{REALM-NAME}">
  ....

</EntityDescriptor>

Answer 3

Sometimes it's a good thing to specify in writing what you need - which I did here on Stack Overflow.

I found the URL to where on Keycloak one can export the IdP XML

https://keycloak-url/realms/{REALM-NAME}/protocol/saml/descriptor

That gave me the IDPSSODescriptor.

I'll leave this thread here, so people can benefit from my mistakes.