Keycloak - ADFS SAML Automatic Certificate Rollover

Question

Is Keycloak support for ADFS Automatic Certificate Rollover for SAML Protocol ?

I searched on official documentation but could not find anything, or maybe i miss it. so your help is very precious. Thanks

Answer 1

If your setting up KeyCloak to act as an SP to ADFS IdP. There will be three certificates in ADFS SSL , token sign-n and token decryption.

when the SSL certificate expires, make sure to configure the renewed SSL certificate as your service communication certificate. This does not happen automatically.

Token signing certificates are standard X509 certificates that are used to securely sign all tokens that the federation server issues. Token decryption certificates are standard X509 certificates that are used to decrypt any incoming tokens. They are also published in federation metadata and by default, AD FS is configured to generate token signing and token decryption certificates automatically, both at the initial configuration time .

In ADFS property called as AutoCertificateRollover describes whether AD FS is configured to renew token signing and token decrypting certificates automatically.

If AutoCertificateRollover is set to TRUE, the AD FS certificates will be renewed and configured in AD FS automatically. Once the new certificate is configured, in order to avoid an outage, you must ensure that each federation partner (represented in your AD FS farm by either relying party trusts or claims provider trusts) is updated with this new certificate. Get the detailed information from this document.

For Manage certificates for federated single sign-on in Azure Active Directory kindly go through the document