I would like to be able to specify the entityID for Keycloak to use in the SAML IdP descriptor. I observe that the entityID it currently presents is based on the hostname used in the request to https://<hostname>/auth/realms/<realm>/protocol/saml/descriptor. For example (not our use case, but a good illustration), if I have an entry in my hosts file pointing the name 'foobarbaz' to my Keycloak instance, the descriptor that Keycloak presents will be something like https://foobarbaz/auth/realms/master. Is there any way I can get Keycloak to present the same entityID regardless of the name in the request?
The SAML 2.0 standard says
The syntax of such an identifier is a URI of not more than 1024 characters in length. It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself
If we could specify the entityID, we would be able to take advantage of the flexibility of the standard. My own selfish reason for wanting the feature is due to a number of constraints in our environment. One the one hand, we have the need to be able to access the same Keycloak cluster (and the same SPs through it) using more than one name. On the other hand, one of our SPs (Splunk) only accepts a single IdP definition.
This enhancement was previously requested in
KEYCLOAK-5417, which was closed during housekeeping.