Keycloak作为服务提供商-设置签名证书 [英] Keycloak as a Service Provider - setting up a signing certificate

问题描述

将Keycloak用作应该连接到(非Keycloak)身份提供者(IdP)的服务提供者(SP)时，如何在Keycloak中安装签名证书?

How do I install a signing certificate in Keycloak when using Keycloak as a Service Provider (SP) that should connect to a (non-Keycloak) Identity Provider (IdP)?

更准确地说，应将Keycloak用作身份代理(如

To be more precise, Keycloak should be used as an Identity Broker (as described in the Keycloak documentation) and the communication between the Keycloak SP and the IdP is going to be facilitated via the SAML 2.0 protocol.

Keycloak文档包含有关如何安装SSL证书的信息做正常"的HTTPS通信，例如在浏览器中，但是我找不到与用于与IdP的后端到后端SAML通信中使用的签名证书的安装有关的任何信息.有人知道该怎么做吗?

The Keycloak documentation contains information on how to install SSL certificates for doing "normal" HTTPS communication e.g. in the browser, but I cannot find anything regarding the installation of signing certificates to be used in the backend-to-backend SAML communication with the IdP. Does anyone know how to do this?

(也许只有一个证书安装在Keycloak中，即该证书用于SAML通信和其他非SAML Keycloak HTTPS通信吗?)

(Maybe only one certificate is installed into Keycloak, i.e. this certificate is used for both SAML communication and other non-SAML Keycloak HTTPS communication?)

推荐答案

您如何查看SP使用哪个证书对外部IDP签名/加密SAML消息?

转到身份提供者->您配置的SAML IDP->出口.导出包含用于签名/加密的证书.您的IDP中必须至少有一个激活的签名/加密配置，否则您将在导出中看不到证书

How do you see which Certificate is used by your SP for signing/encrypting SAML messages for/to the external IDP?

Go to Identity Providers -> your configured SAML IDP -> Export. The export contains the certificate which is used for signing/encryption. There must be at least one activated signing/encryption config in your IDP, otherwise you will not see a cert in the export

创建领域时，密钥斗篷会生成一个RSA-SHA256证书，默认情况下，该证书将由您配置的IDP-Brokering设置使用.

When creating a realm, keycloak generates a RSA-SHA256 Cert which will by default be used by your configured IDP-Brokering Settings.

转到领域设置"->密钥，您将在提供程序(rsa-generated)中看到这一个RS256(RSA)

Go to Realm Settings -> Keys and you will see this one RS256 (RSA) with the provider (rsa-generated)

如果您需要其他证书，请切换到提供者"标签，然后添加密钥库，例如rsa.导入您的私钥和证书(均为PEM格式！)

If you need another cert, switch to Providers Tab, Add Keystore e.g. rsa. Import your private key and certificate (both as PEM format!)

回到概述中，禁用rsa生成的提供程序，您新生成的提供程序应该是类型为RS256

Back on the overview, disable the rsa-generated provider, your new generated provider should be the only active one with type RS256

如果您现在再次检查IDP的导出，则应在XML内使用导入的证书

If you now check the Export of your IDP again, the imported cert should be used inside the XML

这篇关于Keycloak作为服务提供商-设置签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！