INC-2026-02-14-001: Prevention

Key Lessons

Lesson Action

Lesson	Action
ISE SAML is GUI-only	No ERS/OpenAPI endpoint exists for SAML IdP configuration
Keycloak is fully API-driven	All SAML client updates can be automated via REST API
Entity ID survives restores	ISE Entity ID is deployment-specific, not hostname-specific
sed is powerful	Simple `sed 's/old/new/g'` transformed all hostname references
PUT requires full object	Keycloak doesn’t support PATCH - GET/modify/PUT workflow required

ISE SAML is GUI-only

No ERS/OpenAPI endpoint exists for SAML IdP configuration

Keycloak is fully API-driven

All SAML client updates can be automated via REST API

Entity ID survives restores

ISE Entity ID is deployment-specific, not hostname-specific

sed is powerful

Simple sed 's/old/new/g' transformed all hostname references

PUT requires full object

Keycloak doesn’t support PATCH - GET/modify/PUT workflow required

Prevention Checklist

Pre-Restore

Document current ISE Entity ID from SP metadata
Export Keycloak SAML client configuration
Note all hostname-specific URLs

Post-Restore

Verify ISE Entity ID unchanged
Update Keycloak SAML client redirect URIs
Update ACS URL in client attributes
Test SAML login before declaring restore complete

Automation Opportunity

Create netapi keycloak update-saml-client command:

netapi keycloak update-saml-client \
  --realm domusdigitalis \
  --client-id "http://CiscoISE/a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8" \
  --old-hostname ise-02 \
  --new-hostname ise-01