Keycloak integration with Pingfederate

Question

What I want to do is this:

I have keycloak integrated with my application. So when my app is launched , keycloak login page is shown to user. Now , I am trying to provide an option to login with PingFedrate. So a button to login with PingFed appears(once a new SAML provider is configured in keycloak). On PingFedrate I tried to integrate SP inititated SSO:

I added a new SP connection and there I configured it as SSP initiated SSO. (It forced me to configure SOAP Authentication , where I selected basic and configured random username password). Then I downloaded metatdata.xml from this SP and imported in keycloak which autofilled the login url as : https://myserver:9031/idp/SSO.saml2 (i.e. without client id). After this when user clickon Login with PingFed - PingFed gives following error:

Unexpected System Error Sorry for the inconvenience. Please contact your administrator for assistance and provide the reference number below to help locate and correct the problem.

Answer 1

I found the solution to this.

Firstly, we need to add SP inititated SSO in Pingfed for keycloak.

Secondly, the reason I could not make SP inititated SSO work was that keycloak's entityId should be same as Pingfed SP connection's Partner's Entity Id / Connection Id.

Keycloak, by default keeps entity id equal to url of keyloak server containing your realm. E.g

https://(keycloak-server)/auth/realms/(realm-name)

(and I could not find a way to change it through Keycloak UI)

You need to enter this URL in Pingfed.

To avoid adding this manually, you can download the keycloak config from download export tab of identity provider.

And on Pingfed , import this file.

On a side note, though I was importing it earlier, I was changing value of Partenr id to some other name as I was not aware of above restriction until I started decoding the SAML tokens in request.