I’m trying to use Keycloak as a replacement for an ADFS - at least for SAML and OIDC, which shouldn’t be much of a problem, yet we fail to make Keycloak act as a single SP with a single Assertion Consumer Url.
Our ADFS has 15 or so ClaimsProviderTrusts (essentially Upstream SAML-IDPs), which will register the ADFS as an SP via a Metadata-Aggregation-Service (e.g. Deutsches Forschungsnetz, eduGain and similar). So we have one EntityId and one ACS Url.
Can I make Keycloak also use a single EntityId (this works) and single Assertion Consumer Service URL (I fail to see how I would configure that).
If brokering is the only task Keycloak should do, then probably Shibboleth is here the better option, yes.
If there are also other tasks for Keycloak, you can consider to broker identities from Keycloak to Shibboleth to the other ones (EduRoam, EduGain, DFN, etc.).
We’ve got a mixture of DFN-registered entities and non-registered entities, but all are SAMLp- ones enabled.
We’d like to use KeyCloak for management of LDAP accounts (depending on upstream IDP the identity is brokered from), but it seems easier to implement an attribute update as Shibboleth module instead of making Keycloak act with a single ACS-Url.
It’s really unfortunate, that lot’s of tools like KeyCloak (or Zitadel) do not have a proper way to define SAML SPs for a given realm - independent of upstream SAML IdPs
