<SP entityID="sp" sslPolicy="ssl" nameIDPolicyFormat="format" forceAuthentication="true" isPassive="false" autodetectBearerOnly="false"> ... </SP>
Here is the explanation of the SP element attributes:
This is the identifier for this client. The IdP needs this value to determine who the client is that is communicating with it. This setting is REQUIRED.
This is the SSL policy the adapter will enforce. Valid values are:
ALL, all requests must come in via HTTPS. For
EXTERNAL, only non-private IP addresses must come over the wire via HTTPS. For
NONE, no requests are required to come over via HTTPS. This setting is OPTIONAL. Default value is
SAML clients can request a specific NameID Subject format. Fill in this value if you want a specific format. It must be a standard SAML format identifier:
urn:oasis:names:tc:SAML:2.0:nameid-format:transient. This setting is OPTIONAL. By default, no special format is requested.
SAML clients can request that a user is re-authenticated even if they are already logged in at the IdP. Set this to
trueto enable. This setting is OPTIONAL. Default value is
SAML clients can request that a user is never asked to authenticate even if they are not logged in at the IdP. Set this to
trueif you want this. Do not use together with
forceAuthenticationas they are opposite. This setting is OPTIONAL. Default value is
The session ID is changed by default on a successful login on some platforms to plug a security attack vector. Change this to
trueto disable this. It is recommended you do not turn it off. Default value is
This should be set to true if your application serves both a web application and web services (e.g. SOAP or REST). It allows you to redirect unauthenticated users of the web application to the Keycloak login page, but send an HTTP
401status code to unauthenticated SOAP or REST clients instead as they would not understand a redirect to the login page. Keycloak auto-detects SOAP or REST clients based on typical headers like
Accept. The default value is false.