Service Provider Entity ID

Client

The SAML Entity ID that the remote Identity Provider (IdP) uses to identify requests from this Service Provider. By default, this setting is set to the realms base URL <root>/realms/{realm-name}.

Single Sign-On Service URL

Client

The SAML endpoint that starts the authentication process. If your SAML IdP publishes an IDP entity descriptor, the value of this field is specified there.

Single Logout Service URL

Client

The SAML logout endpoint. If your SAML IdP publishes an IdP entity descriptor, the value of this field is specified there.

Backchannel Logout

Antavo/Client

The SAML logout endpoint. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.

Backchannel Logout

Client

Toggle this switch to ON if your SAML IDP supports back channel logout.

NameID Policy Format

Client

The URI reference corresponding to a name identifier format. By default, Keycloak sets it to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

Principal Type

Client

This attribute specifies which part of the SAML assertion will be used to identify and track external user identities. It can be either Subject NameID or SAML attribute (either by name or by friendly name). Subject NameID value can not be set together with urn:oasis:names:tc:SAML:2.0:nameid-format:transient NameID Policy Format value.

Principal Attribute

Client

If a Principal type is non-blank, this field specifies the name ("Attribute [Name]") or the friendly name ("Attribute [Friendly Name]") of the identifying attribute.

Allow create

Client

Allow the external identity provider to create a new identifier to represent the principal.

HTTP-POST Binding Response

Antavo/Client

Controls the SAML binding in response to any SAML requests sent by an external IDP. When OFF, Keycloak uses Redirect Binding.

HTTP-POST Binding for AuthnRequest

Antavo/Client

Controls the SAML binding when requesting authentication from an external IDP. When OFF, Keycloak uses Redirect Binding.

Want AuthnRequests Signed

Antavo

When ON, Keycloak uses the realm’s keypair to sign requests sent to the external SAML IDP.

Signature Algorithm

Client

If Want AuthnRequests Signed is ON, the signature algorithm to use.

SAML Signature Key Name

Antavo

Signed SAML documents sent using POST binding contain the identification of signing key in KeyName element, which, by default, contains the Keycloak key ID. External SAML IDPs can expect a different key name. This switch controls whether KeyName contains: * KEY_ID - Key ID. * CERT_SUBJECT - the subject from the certificate corresponding to the realm key. Microsoft Active Directory Federation Services expect CERT_SUBJECT. * NONE - Keycloak omits the key name hint from the SAML message.

Force Authentication

Antavo

The user must enter their credentials at the external IDP even when the user is already logged in.

Validate Signature

Antavo

When ON, the realm expects SAML requests and responses from the external IDP to be digitally signed.

Validating X509 Certificate

Antavo

The public certificate Keycloak uses to validate the signatures of SAML requests and responses from the external IDP.

Sign Service Provider Metadata

Antavo/Client

When ON, Keycloak uses the realm’s key pair to sign the SAML Service Provider Metadata descriptor.

Pass subject

Client

Controls if Keycloak forwards a login_hint query parameter to the IDP. Keycloak adds this field’s value to the login_hint parameter in the AuthnRequest’s Subject so destination providers can pre-fill their login form.

Attribute Consuming Service Index

Client

Identifies the attribute set to request to the remote IDP. Keycloak automatically adds the attributes mapped in the identity provider configuration to the autogenerated SP metadata document.

Attribute Consuming Service Name

Client

A descriptive name for the set of attributes that are advertised in the autogenerated SP metadata document.