Key selection on Identity Providers

[Captain-P-Goldfish]

Hi,
we are currently facing the issue that we want to configure several identity providers in a single realm. Some of these providers are SAML providers and thus we need different key-material for encryption, decryption, request-signatures and response-signature-verification.
So in total one to two key setups per provider (two if the keys cannot be extracted from the providers metadata for any reason).

The current solution in keycloak is to use the active-key in the realm. But this defeats of course the possibility to define multiple remote providers for which we require different authentication key-material.

The easiest fix would probably be to add a key-name reference to the identitiy provider configurations. With this we could add a new key that is not marked active:

and then we could reference this new key by name elster-decryption in the SAML configuration. The same would be required for response-signature-verification.

[francis-pouatcha]

• Idea of having many identity providers in the same realm. Such that each of them can select his own key.
• This will keep key rotation capabilities.

[Captain-P-Goldfish]

as discussed today we should implement the idea from @thomasdarimont :

• Adding additional key-input fields to the different identity provider implementations to prevent having these idp-specific keys within the jwks-endpoint
• We could add the input-fields in the AbstractIdentityProvider class and add a switch to add them to the underlying concrete implementation. Like this we can add these new input-fields for SAML and later also for OpenID if the https://datatracker.ietf.org/doc/html/rfc7523 specification would be supported in a later version.

Please correct me, if I got anything wrong.

[thomasdarimont]

I think that makes sense!