How to disable WantAuthnRequestsSigned
559 views
Skip to first unread message
Rafael Correa
Feb 14, 2020, 5:46:56 PM2/14/20
to Keycloak User
Does anyone know how to disable WantAuthnRequestsSigned in the IDPSSODescriptor?
I have the feeling my integration doesnt work because this is always set to true - and I can't find a place in Keycloak to disable it o.O
I'm running 6.x.
Cheers
Ahmed Garrech
Sep 24, 2020, 5:17:12 AM9/24/20
to Keycloak User
Good morning ! did you find out a solution for that ? to put WantAuthnRequestsSigned value to false !
thank you
Luis Rodríguez Fernández
Sep 29, 2020, 6:21:20 AM9/29/20
to Ahmed Garrech, Keycloak User
Hello Ahmed,
mmm, I know that this is not the exact answer that you are looking for, but did you try WantAuthnRequestsSigned="false" in your configuration clients?
Hope it helps,
Luis
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/047ea474-f0f5-4e4c-b4ee-ec789a5c88c7n%40googlegroups.com.
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
Gilbert FERNANDES
Sep 29, 2020, 6:38:01 AM9/29/20
to Luis Rodríguez Fernández, Ahmed Garrech, Keycloak User
Turning Off the "Client Signature Required" in the Client configuration does this :
AuthnRequestsSigned="false" WantAssertionsSigned="false"
Default value is ON (for security) and does this :
AuthnRequestsSigned="true" WantAssertionsSigned="false"
When I go check the output of Installation -> SAML Metadata SPSSODescriptor.
Is this what you want ? To have AuthnRequestsSigned to false ?
----------------------------- Disclaimer ------------------------------ --- Ce message ainsi que les éventuelles pièces jointes constituent une correspondance privée et confidentielle à l'attention exclusive du destinataire désigné ci-dessus. Si vous n'êtes pas le destinataire du présent message ou une personne susceptible de pouvoir le lui délivrer, il vous est signifié que toute divulgation, distribution ou copie, totale ou partielle, sur un quelconque support de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expéditeur par téléphone ou de lui retourner le présent message, puis d'effacer immédiatement ce message de votre systeme. Tout message électronique est susceptible d'altération. Le "groupement des Mousquetaires" décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié.--- --- This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying, either whole or partial, in any medium of this communication is strictly prohibited. If you have received this communication by mistake, please notify the sender by phone or by replying this message, and then delete this message from your system. E-mails are susceptible of alteration. The "Mousquetaires' group" shall not therefore be liable for the message if altered, changed or falsified.--- -----------------------------------------------------------------------
AuthnRequestsSigned="false" WantAssertionsSigned="false"
Default value is ON (for security) and does this :
AuthnRequestsSigned="true" WantAssertionsSigned="false"
When I go check the output of Installation -> SAML Metadata SPSSODescriptor.
Is this what you want ? To have AuthnRequestsSigned to false ?
----------------------------- Disclaimer ------------------------------ --- Ce message ainsi que les éventuelles pièces jointes constituent une correspondance privée et confidentielle à l'attention exclusive du destinataire désigné ci-dessus. Si vous n'êtes pas le destinataire du présent message ou une personne susceptible de pouvoir le lui délivrer, il vous est signifié que toute divulgation, distribution ou copie, totale ou partielle, sur un quelconque support de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expéditeur par téléphone ou de lui retourner le présent message, puis d'effacer immédiatement ce message de votre systeme. Tout message électronique est susceptible d'altération. Le "groupement des Mousquetaires" décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié.--- --- This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying, either whole or partial, in any medium of this communication is strictly prohibited. If you have received this communication by mistake, please notify the sender by phone or by replying this message, and then delete this message from your system. E-mails are susceptible of alteration. The "Mousquetaires' group" shall not therefore be liable for the message if altered, changed or falsified.--- -----------------------------------------------------------------------
Ahmed Garrech
Sep 29, 2020, 7:00:16 AM9/29/20
to Gilbert FERNANDES, Luis Rodríguez Fernández, Keycloak User
hello Gilbert , thanks for your answer , yes i try it but it does not work because when application try to communicate with keycloak and it find that
WantAuthnRequestsSigned= true ,so error appear
Gilbert FERNANDES
Sep 29, 2020, 8:34:02 AM9/29/20
to Ahmed Garrech, Luis Rodríguez Fernández, Keycloak User
What is being sent to you will be signed by the other's party SAML key.
You can choose, in Keycloak, to verify or not what is being sent to you.
Of course, for security, you do want to check the signature of what is being sent to you, so you need both "Client Signature Required" + a SAML key defined for the party contacting you to be defined.
On the distant party side, it's the same. They need to import the public certificate of the realm where your SAML client is located in order to be able to verify the signatures of what you are sending in the XML. In your SAML client configuration you can sign the whole XML (option "Sign Documents") and you can also sign the assertions inside that XML (option "Sign Assertions"). Usually signing the whole document is used, as everything inside (including the assertions) will be signed. But if you do encrypt the assertions, it becomes very important to encrypt + sign. When using encryption, signing is very important and should always go alongside encryption (Applied Cryptography from Bruce Schneier explains why).
I am much more at easy with OpenID-Connect than SAML so I'm trying to help, but I guess the mailing-list has SAML experts far beyond my poor knowledge of it to help you if you remain stuck 😉
You can choose, in Keycloak, to verify or not what is being sent to you.
Of course, for security, you do want to check the signature of what is being sent to you, so you need both "Client Signature Required" + a SAML key defined for the party contacting you to be defined.
On the distant party side, it's the same. They need to import the public certificate of the realm where your SAML client is located in order to be able to verify the signatures of what you are sending in the XML. In your SAML client configuration you can sign the whole XML (option "Sign Documents") and you can also sign the assertions inside that XML (option "Sign Assertions"). Usually signing the whole document is used, as everything inside (including the assertions) will be signed. But if you do encrypt the assertions, it becomes very important to encrypt + sign. When using encryption, signing is very important and should always go alongside encryption (Applied Cryptography from Bruce Schneier explains why).
I am much more at easy with OpenID-Connect than SAML so I'm trying to help, but I guess the mailing-list has SAML experts far beyond my poor knowledge of it to help you if you remain stuck 😉
Ahmed Garrech
Sep 29, 2020, 10:10:48 AM9/29/20
to Gilbert FERNANDES, Luis Rodríguez Fernández, Keycloak User
the deployement
is in Azure, where the Auth request is not expected to be signed for that i need to configure in keycloack this WantAuthnRequestsSigned to be false .
Reply all
Reply to author
Forward
0 new messages