[satosa-users] Re: Help to implement Satosa + Keycloak + Edugain

* U W <poubelle1430531(a)hotmail.fr> [2023-01-30 15:53]: No, not using the system as it was desiged to be used, and using proper software: 1. The eduGAIN Metadata Distribution Service publishes a signed EntitiesDescriptor (SAML 2.0 Metadata) containing the union of all entities published to become of eduGAIN" by each eduGAIN participating federation. (So the aggregation but is already done.) But even that's only an implementation detail. 2. Much more important is the fact that no individual IDP or SP should ever consume the eduGAIN MDS document/metadata directly: Instead, each eduGAIN member federation (I could only guess from your email address ending in .fr and from your first name that this would be "Fédération Éducation-Recherche" provided by RENATER, https://services.renater.fr/federation/en/index) publishes a signed (by them) metadata document containing their local entities plus all entities that "are in eduGAIN" (or some permutation of these sets). I.e., you'll need to find a "home federation" https://technical.edugain.org/status (I'm guessing FER by RENATER) that would register your service (and publish *towards* all entities "in eduGAIN) and that federation will also provide you with a metadata feed to consume where you learn about all entities "in edugain". I'd suggest to either contact the eduGAIN support team (https://edugain.org/contact/) or, if have you already decided that RENATER is the best option for you, to contact RENATER about subscribing as a partner, as mentionedn in their documentation, https://services.renater.fr/federation/en/index (Also available in French, of course: https://services.renater.fr/federation/index ) Mostly (see above). Keycloak is fundamentally broken wrt scalable identity federation and as you would need to spoon-feed it all IDPs in eduGAIN somehow, given that currently there are 5239 IDPs "in eduGAIN", cf. https://technical.edugain.org/ To make matters worse, Keycloak as a SAML SP would require a single ACS URL (where an IDP posts the SAML Reponse to) per IDP it has configured locally, meaning your SP would have to have 5000+ ACS URLs (and keep those current as IDPs join and leave eduGAIN). So if you limit yourself to Keycloak (for other reasons / use-cases) you'd at least need some extra tooling to do that, even with a federation providing you with a single metadata document for all IDPs. Satosa (a SAML proxy, like Keycloak itself) might be one such tool. That's not a good basis for getting good results fast (also taking into account that federated authentication is security software) but I guess you have to start somewhere. ;) HTH, -peter