Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Configure Keycloak to Encrypt SAML Assertions with AES-128-GCM Instead of AES-128-CBC

31 views
Skip to first unread message

amine taktak

unread,
Dec 5, 2024, 10:18:15 AM12/5/24
to Keycloak User

Hi,

I am working on a project where Single Sign-On (SSO) is implemented via SAML. I am using Keycloak 26.0.6 locally to simulate the SSO. As part of the setup, I am trying to configure Keycloak to encrypt SAML assertions using AES-128-GCM instead of the default AES-128-CBC.

Below is a snippet of the current SAML response obtained through SAML-Tracer:

<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_36c8dd9b03ad45e7acc1f938f69c148d" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> .... </xenc:EncryptedData>

</saml2:EncryptedAssertion>

I need to encrypt the SAML assertion using AES-128-GCM instead of the default AES-128-CBC to verify if the Service Provider (My Application) can successfully decrypt the SAML assertion. However, I couldn’t find any way to configure Keycloak to achieve this. I am using the master realm. In the Realm Settings, I tried adding a new AES key using the "Add Provider" button, hoping to select the AES-128-GCM algorithm, but without success.

I’ve outlined the issue in detail in my Stack Overflow post here: 

https://stackoverflow.com/questions/79251446/configure-keycloak-to-encrypt-saml-assertions-with-aes-128-gcm-instead-of-aes-12
 

 I would greatly appreciate your insights or guidance on resolving this.  

Best regards,
Amine Taktak  

Reply all
Reply to author
Forward
0 new messages