INC-2026-02-14-001: Resolution

Resolution

Approach: Keycloak REST API

Used Keycloak Admin REST API for: * Reproducibility - commands can be scripted * Documentation - exact steps captured * Skill building - API-first approach for automation

CLI Mastery: Keycloak REST API

Step 1: Retrieve Admin Token

KC_ADMIN_PASS="<password-from-dsec>"

KC_TOKEN=$(curl -s -X POST \
  "https://keycloak-01.inside.domusdigitalis.dev:8443/realms/master/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=admin" \
  -d "password=$KC_ADMIN_PASS" \
  -d "grant_type=password" \
  -d "client_id=admin-cli" \
  --insecure | jq -r '.access_token')

Step 2: List SAML Clients

curl -s "https://keycloak-01.inside.domusdigitalis.dev:8443/admin/realms/domusdigitalis/clients" \
  -H "Authorization: Bearer $KC_TOKEN" \
  --insecure | jq '.[] | select(.protocol=="saml") | {id, clientId, name}'

Output:

{
  "id": "0d7b3b6b-d32f-49a0-9563-6cc8e645b59c",
  "clientId": "http://CiscoISE/a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8",
  "name": "Cisco ISE Admin Portal (ise-02)"
}

Step 3: Export Full Configuration

CLIENT_UUID="0d7b3b6b-d32f-49a0-9563-6cc8e645b59c"

curl -s "https://keycloak-01.inside.domusdigitalis.dev:8443/admin/realms/domusdigitalis/clients/$CLIENT_UUID" \
  -H "Authorization: Bearer $KC_TOKEN" \
  --insecure > /tmp/ise-saml-client.json

Step 4: Transform with sed

sed 's/ise-02/ise-01/g' /tmp/ise-saml-client.json > /tmp/ise-saml-client-updated.json

Changes applied:

Field New Value

name

Cisco ISE Admin Portal (ise-01)

rootUrl

ise-01.inside.domusdigitalis.dev

adminUrl

ise-01.inside.domusdigitalis.dev

redirectUris

ise-01.inside.domusdigitalis.dev:8443/*

webOrigins

ise-01.inside.domusdigitalis.dev

saml_assertion_consumer_url_post

ise-01.inside.domusdigitalis.dev:8443/portal/SSOLoginResponse.action

Step 5: Apply Update via PUT

curl -s -X PUT \
  "https://keycloak-01.inside.domusdigitalis.dev:8443/admin/realms/domusdigitalis/clients/$CLIENT_UUID" \
  -H "Authorization: Bearer $KC_TOKEN" \
  -H "Content-Type: application/json" \
  -d @/tmp/ise-saml-client-updated.json \
  --insecure -w "\nHTTP_STATUS: %{http_code}\n"

Result: HTTP_STATUS: 204 (No Content = success)

Step 6: Verify

curl -s "https://keycloak-01.inside.domusdigitalis.dev:8443/admin/realms/domusdigitalis/clients/$CLIENT_UUID" \
  -H "Authorization: Bearer $KC_TOKEN" \
  --insecure | jq '{name, rootUrl, redirectUris}'

Output:

{
  "name": "Cisco ISE Admin Portal (ise-01)",
  "rootUrl": "https://ise-01.inside.domusdigitalis.dev",
  "redirectUris": [
    "https://ise-01.inside.domusdigitalis.dev:8443/*",
    "https://ise-01.inside.domusdigitalis.dev/*"
  ]
}

Step 7: Test SAML Login

  1. Navigate to ise-01.inside.domusdigitalis.dev/admin/

  2. Click "Log in with SAML"

  3. Redirect to Keycloak login

  4. Authenticate as evanusmodestus

  5. Redirect to ISE Admin Portal - SUCCESS