libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Some options of SAML IDP were missing in the documentation

Browse source 
closes #1743
This commit is contained in:
mposolda 2023-01-11 11:10:13 +01:00 committed by Marek Posolda
parent 5ca38aa96b
commit 53fe2a86dc
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
server_admin/topics/identity-broker/saml.adoc
View file

@ -19,6 +19,9 @@ image:images/saml-add-identity-provider.png[Add Identity Provider]
|Service Provider Entity ID |Service Provider Entity ID
|The SAML Entity ID that the remote Identity Provider uses to identify requests from this Service Provider. By default, this setting is set to the realms base URL `<root>{kc_realms_path}/{realm-name}`. |The SAML Entity ID that the remote Identity Provider uses to identify requests from this Service Provider. By default, this setting is set to the realms base URL `<root>{kc_realms_path}/{realm-name}`.
|Identity Provider Entity ID
|The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.
|Single Sign-On Service URL |Single Sign-On Service URL
|The SAML endpoint that starts the authentication process. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there. |The SAML endpoint that starts the authentication process. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.
@ -49,11 +52,21 @@ image:images/saml-add-identity-provider.png[Add Identity Provider]
|Want AuthnRequests Signed |Want AuthnRequests Signed
|When *ON*, {project_name} uses the realm's keypair to sign requests sent to the external SAML IDP. |When *ON*, {project_name} uses the realm's keypair to sign requests sent to the external SAML IDP.
|Want Assertions Signed
|Indicates whether this service provider expects a signed Assertion.
|Want Assertions Encrypted
|Indicates whether this service provider expects an encrypted Assertion.
|Signature Algorithm |Signature Algorithm
|If *Want AuthnRequests Signed* is *ON*, the signature algorithm to use. Note that `SHA1` based algorithms are deprecated and may be removed in a future release. |If *Want AuthnRequests Signed* is *ON*, the signature algorithm to use. Note that `SHA1` based algorithms are deprecated and may be removed in a future release.
We recommend to use some more secure algorithm instead of `*_SHA1`. Also, with `*_SHA1` algorithms, verifying signatures We recommend to use some more secure algorithm instead of `*_SHA1`. Also, with `*_SHA1` algorithms, verifying signatures
do not work if the SAML identity provider (for example another instance of {project_name}) runs on Java 17 or higher. do not work if the SAML identity provider (for example another instance of {project_name}) runs on Java 17 or higher.
|Encryption Algorithm
|Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key
for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage.
|SAML Signature Key Name |SAML Signature Key Name
|Signed SAML documents sent using POST binding contain the identification of signing key in `KeyName` element, which, by default, contains the {project_name} key ID. External SAML IDPs can expect a different key name. This switch controls whether `KeyName` contains: |Signed SAML documents sent using POST binding contain the identification of signing key in `KeyName` element, which, by default, contains the {project_name} key ID. External SAML IDPs can expect a different key name. This switch controls whether `KeyName` contains:
* `KEY_ID` - Key ID. * `KEY_ID` - Key ID.