From b0a081c867062c36d6353667d427d1f6e9834537 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Fri, 4 Nov 2016 22:06:59 +0100 Subject: [PATCH] KEYCLOAK-1881 - SAML key rotation at IdP side --- topics/clients/client-saml.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/topics/clients/client-saml.adoc b/topics/clients/client-saml.adoc index fd6ab24579..e3e017619f 100644 --- a/topics/clients/client-saml.adoc +++ b/topics/clients/client-saml.adoc @@ -58,6 +58,18 @@ Include AuthnStatement:: Sign Documents:: When turned on, {{book.project.name}} will sign the document using the realm's private key. +Optimize REDIRECT signing key lookup:: + When turned on, the SAML protocol messages will include {{book.project.name}} + native extension that contains a hint with signing key ID. When the SP + understands this extension, it can use it for signature validation instead of + attempting to validate signature with all known keys. This option only applies to + REDIRECT bindings where the signature is transferred in query parameters where + there is no place with this information in the signature information + (contrary to POST binding messages where key ID is always included in + document signature). Currently this is relevant to situations where both + IDP and SP are provided by {{book.project.name}} server and adapter. This + option is only relevant when `Sign Documents` is switched on. + Sign Assertions:: The `Sign Documents` switch signs the whole document. With this setting the assertion is also signed and embedded within the SAML XML Auth response.