UNCLASSIFIED - NO CUI

feat: add sso.idpMetadataXml value for direct IdP metadata configuration

Jonathan Braswellrequested to merge
239-sso-idp-metadata-xml into main

General MR

Summary

Added sso.idpMetadataXml value to allow providing IdP metadata XML directly instead of fetching it from sso.idpMetadataUrl at deploy time.

There are accompanying umbrella changes that will be incorporated into the automatically generated umbrella MR when this is merged.

Relevant logs/screenshots

image

image

Umbrella integration test pipeline: big-bang/bigbang!7533 (closed)

configure-sso job logs without sso.saml.metadata set in the umbrella:

Click to expand 
IdP URL is live...
Anchore Engine is live...
SAML config already exists, updating...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.43.233.221:8228...
* Connected to anchore-enterprise-anchore-enterprise-api (10.43.233.221) port 8228 (#0)
* Server auth using Basic with user 'admin'
> PUT /v2/rbac-manager/saml/idps/keycloak HTTP/1.1
> Host: anchore-enterprise-anchore-enterprise-api:8228
> Authorization: Basic YWRtaW46aWtBSG90N1ZCc2dvRjNBSm15aURidTV5SlQ1QUZRQ2M=
> User-Agent: curl/7.76.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 4035
> 
} [4035 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Fri, 27 Mar 2026 13:44:39 GMT
< content-type: application/json
< content-length: 4080
< anchore-request-id: req-id-10ab6ccee9f84227881c5392e16aff7e
< x-envoy-upstream-service-time: 333
< server: envoy
< 
{ [4080 bytes data]

100  8115  100  4080  100  4035  11558  11430 --:--:-- --:--:-- --:--:-- 22988
* Connection #0 to host anchore-enterprise-anchore-enterprise-api left intact
{"name":"keycloak","enabled":true,"acs_https_port":-1,"sp_entity_id":"dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_anchore","acs_url":"https://anchore.dev.bigbang.mil/service/sso/auth/keycloak","default_account":"user","default_role":"read-write","require_signed_assertions":false,"require_signed_response":true,"idp_metadata_xml":"<md:EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo><ds:KeyName>Y95Z-3ILzqbiZC4zyTM6Ah4tywR-257sOBJIsXNHmj4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgGdLz/CFDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjYwMzI3MTIyMTQwWhcNMzYwMzI3MTIyMzIwWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJvnEuYf5ydeB7n3fAAP0OvP/JSYdQz1/SVjI4xoc7jqSzKMxqows9qOfyuKlVPyEY285tws8qsgbmnIompAJtAs5fXY+PppbOMEKrvoVibKe6A76i8A/FFz3qP8UcARNpyDl27F70gIG/qp8X/9OLbMNMj2568qy4MAJUpk/nZoXmLOzOJbWYBQ6Uf1cjxQnR3k6MRQiQYd2lQcbdiHjrBihw232/SM3qU/Aj4/tqyrROSqjdaxvT5gtwFvywh9b8eaidVuOG7mNAmJiQbqjzA1afmElzKPu6myV1/mDnRCmGNc1PieIndv3xOUjgN0TDQdfUJ0gw5S2nOtMHOzb3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAF25azZLkt3GpCEDcHTdqSWJBi7PqiyWURtqC1Aq7l+0IMtL7FeQtg0uRTGAltVXM+o50h5HRd5aQvLCCR5eW/AYBJgCFggvGgKgx0+rYcGQJi7rftTUUz2wQvTl2cQm041L1ggnfu2a0YKCMDxD5ztdH3cOkIYA8bT/GRdiR4DOPP6MD04Hpo7PBOHQxy/7FPBiSEVvxWqtU2SSILCIaBhXzor9yUPpEUaOuIajjpeXj/CM0qs5n3d12mKVTH/YanDSRvs81HGSsjFrvekH2MtbKpnOjZiLZqVtteh/z6lQmgm0+X2GftvZDgwNVXFhWN0FW5jR9Vy3BbZHY54ni3U=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/resolve\" index=\"0\"></md:ArtifactResolutionService><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleLogoutService><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleLogoutService><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleLogoutService><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>","created_at":"2026-03-27T13:07:18.601594","last_updated":"2026-03-27T13:44:42.851543"}

configure-sso job logs with sso.saml.metadata set in the umbrella:

Click to expand 
Anchore Engine is live...
SAML config already exists, updating...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.43.233.221:8228...
* Connected to anchore-enterprise-anchore-enterprise-api (10.43.233.221) port 8228 (#0)
* Server auth using Basic with user 'admin'
> PUT /v2/rbac-manager/saml/idps/keycloak HTTP/1.1
> Host: anchore-enterprise-anchore-enterprise-api:8228
> Authorization: Basic YWRtaW46aWtBSG90N1ZCc2dvRjNBSm15aURidTV5SlQ1QUZRQ2M=
> User-Agent: curl/7.76.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 4234
> 
} [4234 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Fri, 27 Mar 2026 13:34:45 GMT
< content-type: application/json
< content-length: 3899
< anchore-request-id: req-id-d36c4bcc663a4064a5fab632efdbe4c4
< x-envoy-upstream-service-time: 365
< server: envoy
< 
{ [3899 bytes data]

100  8133  100  3899  100  4234  10595  11505 --:--:-- --:--:-- --:--:-- 22160
* Connection #0 to host anchore-enterprise-anchore-enterprise-api left intact
{"name":"keycloak","enabled":true,"acs_https_port":-1,"sp_entity_id":"dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_anchore","acs_url":"https://anchore.dev.bigbang.mil/service/sso/auth/keycloak","default_account":"user","default_role":"read-write","require_signed_assertions":false,"require_signed_response":true,"idp_metadata_xml":"\n<md:EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/resolve\" index=\"0\"></md:ArtifactResolutionService><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleLogoutService><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleLogoutService><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml\"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>\n","created_at":"2026-03-27T13:07:18.601594","last_updated":"2026-03-27T13:34:48.371389"}

Linked Issue

issue

Upgrade Notices

When sso.saml.metadata is set in the umbrella values, the Anchore configure-sso job will use the provided XML directly for IdP metadata configuration instead of fetching it from the IdP metadata URL. If sso.saml.metadata is not set, the existing behavior of fetching metadata from the URL at deploy time is unchanged.

Umbrella Branch

anchore-idp-metadata-xml

Edited by Jonathan Braswell

Merge request reports

UNCLASSIFIED - NO CUI