Keycloak implementation for import/export SAML IdP

[cgeorgilakis]

SAML IdP values from xml:

• HTTP-POST Binding Response and HTTP-POST Binding for AuthnRequest become true if md:SingleSignOnService with urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST exists. For Single Sign-On Service URL search first for md:SingleSignOnService with urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
• HTTP-POST Binding Logout become true if HTTP-POST Binding Response is true and md:SingleLogoutService exists with urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST exists. If HTTP-POST Binding Logout is true, this md:SingleLogoutService is Single Logout Service URL. If HTTP-POST Binding Logout is false, Single Logout Service URL is taken from md:SingleLogoutService with urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect ( if exists).
• Want AuthnRequests Signed and Validate Signature become true if WantAuthnRequestsSigned is true
• Want Assertions Signed and Want Assertions Encrypted is not parsing. Only when creating SAML IdP for federation, this values are taken from SAML Federation configuration.

For federation we keep same functionality for almost all values. We only put extra value to alias and displayname. Finally, in some fields default values like Keycloak SAML IdP default values are put.

SAML IdP exporting SAML SP metadata :

• AssertionConsumerService Binding and SingleLogoutService is based on HTTP-POST Binding for AuthnRequest. Location is same for AssertionConsumerService Binding and SingleLogoutService. -If Want AuthnRequests Signed is true and signining keys exist, md:KeyDescriptor use="signing" will exist in exported xml.
• If Want Assertions Encrypted is true and signining keys exist, md:KeyDescriptor use="encryption" will exist in exported xml.

[cgeorgilakis]

From Keycloak document :

• HTTP-POST Binding Response : When this realm responds to any SAML requests sent by the external IDP, which SAML binding should be used? If set to off, then the Redirect Binding will be used.
• HTTP-POST Binding for AuthnRequest : When this realm requests authentication from the external SAML IDP, which SAML binding should be used? If set to off, then the Redirect Binding will be used.

Actually, what Keycloak sends is based on HTTP-POST Binding for AuthnRequest and SAML document inside it is based on HTTP-POST Binding Response.

Moreover, in document Keycloak add extension if HTTP-POST Binding for AuthnRequest is false, Want AuthnRequests Signed is true and addExtensionsElementWithKeyInfo is true. However, addExtensionsElementWithKeyInfo is set to false in parsing and can not be edited by user!