how to get saml-metadata for keycloak as sp with certificate

Question

I have set up a keycloak server. Then I created a realm an in that realm an SAML-IDP. So my keycloak server is a SAML-SP that uses that IDP for authentication. The IDP needs the SAML-Metadata. I can export it in the keycloak admin console in the "export" tab of the IDP Entry. I can also download it here:

http[s]://{host:port}/auth/realms/{realm-name}/broker/{broker-alias}/endpoint/descriptor

But the metadata does not contain a X509 certificate:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://keycloak.sample/auth/realms/nodejs-example">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.sample/auth/realms/nodejs-example/broker/idp.devel/endpoint"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        </NameIDFormat>
        <AssertionConsumerService
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.sample/auth/realms/nodejs-example/broker/idp.devel/endpoint"
                index="1" isDefault="true" />
    </SPSSODescriptor>
</EntityDescriptor>

How do I get one into the metadata?

Answer 1

You can now in KC 13.0.1 sing your metadata with your realm keypair. Check more here: https://www.keycloak.org/docs/latest/server_admin/#saml-v2-0-identity-providers

Sign Service Provider Metadata - If true, it will use the realm’s keypair to sign the SAML Service Provider Metadata descriptor.

Answer 2

Question: The SAML SP metadata does not contain a X509 certificate.

How do I get one into the metadata?

Answer:

It is OK that SAML SP metadata of Keycloak does NOT contain a X509 certificate if (I) Keycloak SAML SP does NOT need to sign SAML authentication request or (II) SAML IdP is NOT require to encrypt SAML assertion for Keycloak SAML SP.

(1) SAML SP metadata does NOT necessarily contain a X509 certificate. That is, X509 certificate is NOT mandatory for SAML SP metadata.

For example, both Google G Suite and ComponentSpace provide SAML SP metadata without X509 certificate.

(I) SAML SP metadata of Google G Suite does NOT contain a X509 certificate. I uploaded SAML SP metadata of Google G Suite into Shibboleth SAML IdP server and then logged in to Google G Suite through SAML authentication provided by Shibboleth SAML IdP successfully.

For your reference on SAML SP metadata without X509 certificate, I have made the 14th commit to upload the Google G Suite SAML SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository.

(II) The ComponentSpace Development provides the guidance on how to generates SAML service provider metadata with no certificates.

No signature or encryption certificates were specified so no certificates were included in the generated metadata.

ExportMetadata.exe
SAML configuration file to export [saml.config]:
X.509 signature certificate file [None]:
X.509 encryption certificate file [None]:
Assertion Consumer Service URL [None]: http://localhost:51901/SAML/AssertionConsumerService.aspx
Single Logout Service URL [None]:
Partner Identity Provider Name [None]:
SAML metadata file [metadata.xml]:

(2) SAML SP metadata needs to contain a X509 certificate if SAML SP needs to sign SAML authentication request or SAML IdP needs to encrypt SAML assertion.

(3) Quite different from SAML SP, SAML IdP metadata should contain at least one X509 certificate for signing SAML response/assertion.

Follow-up answer provided by Galdor:

If you require SAML IdP to encrypt SAML assertion for Keycloak SAML SP

(I) Set "Want Assertions Encrypted" in the IDP-Configuration to ON and instantly the X509Certificate entry appears in the Export tab.

(II) Download SAML SP metadata of Keycloak, which should contain X509 certificate for encryption.

Answer 3

According to winstonhongs answer the keycloak server doesn't need a certificate in this configuration. I set "Want Assertions Encrypted" in the IDP-Configuration to ON and instantly the X509Certificate entry appears in the Export tab.