I need to change my current Keycloak configuration to set up a Keycloak broker that queries a remote SAML Identity Provider (IdP).
Here is the metadata.xml. I’m unsure if I need to configure both an IdP and a SAML Client in Keycloak or just a SAML Client.
<md:EntityDescriptor validUntil="2025-11-13T14:27:57.8433870Z" cacheDuration="P365D" entityID="k*******b.*******.**">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://k*******b.*******.**/saml20-logout"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://k*******b.*******.**/saml20-login"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
The IdP manager also asked me for a cert.pem, but when I try to configure an IdP and/or a SAML Client, I don’t see any option to export a cert.pem.
I have a Flask app, and I want users to log in using their accounts on the external IdP. I don’t need Keycloak’s login page; I need a SAML Client that acts like a user client so I can manage the login flow directly in Flask.
My keycloak version is 22
The SAML IdP requires your certificate to verify the signatures of your requests (this is how trust is established between both systems). Simply open the well-known OIDC URL in your realm, where you will find the certificate endpoint. You can use this endpoint to obtain the certificate (which is paired with private key used for signing SAML req/resp on KC side). Convert it to PEM format if it's required.