How do I install a signing certificate in Keycloak when using Keycloak as a Service Provider (SP) that should connect to a (non-Keycloak) Identity Provider (IdP)?
To be more precise, Keycloak should be used as an Identity Broker (as described in the Keycloak documentation) and the communication between the Keycloak SP and the IdP is going to be facilitated via the SAML 2.0 protocol.
The Keycloak documentation contains information on how to install SSL certificates for doing "normal" HTTPS communication e.g. in the browser, but I cannot find anything regarding the installation of signing certificates to be used in the backend-to-backend SAML communication with the IdP. Does anyone know how to do this?
(Maybe only one certificate is installed into Keycloak, i.e. this certificate is used for both SAML communication and other non-SAML Keycloak HTTPS communication?)
Go to Identity Providers -> your configured SAML IDP -> Export. The export contains the certificate which is used for signing/encryption. There must be at least one activated signing/encryption config in your IDP, otherwise you will not see a cert in the export
When creating a realm, keycloak generates a RSA-SHA256 Cert which will by default be used by your configured IDP-Brokering Settings.
Go to Realm Settings -> Keys and you will see this one RS256 (RSA) with the provider (rsa-generated)
If you need another cert, switch to Providers Tab, Add Keystore e.g. rsa. Import your private key and certificate (both as PEM format!)
Back on the overview, disable the rsa-generated provider, your new generated provider should be the only active one with type RS256
If you now check the Export of your IDP again, the imported cert should be used inside the XML