Description

I am currently using Keycloak 18.0.0 and have a requirement to use different RSA-SHA256 key providers for different signing purposes within the same realm.

Although Keycloak allows creating multiple Key Providers in a realm using the RSA-SHA256 algorithm, only the provider configured with the highest priority is used for all signing operations. As a result, the same key is used for both:

• SAML AuthnRequest signing
• JWT access token signing

Required Behavior

I need to be able to configure:

• Provider 1 (Key 1) → Used only for SAML AuthnRequest signing
• Provider 2 (Key 2) → Used only for JWT token signing

This separation is required because:

• The external IdP is configured to accept only SAML AuthnRequests signed with Key 1
• The backend API is configured to accept only JWT tokens signed with Key 2

Current Limitation

At the moment, even though multiple RSA-SHA256 providers can be created in the realm, Keycloak always uses the highest-priority provider for both SAML and OIDC signing operations. Passive keys can be used for verification, but not selectively for signing.

Questions

1. Do newer Keycloak versions support selecting different RSA-SHA256 providers for different protocols (SAML vs OIDC) within the same realm?
2. If this is not supported natively, how have others addressed this requirement?
   • Separate realms for SAML and OIDC?
   • Custom SPI to control key selection?
   • External validation or signing at the API Gateway level?
3. Are there any known feature requests or roadmap items addressing protocol-specific signing keys?

Any feedback, best practices, or references to similar implementations would be greatly appreciated.