Hi,
I am working on a project where Single Sign-On (SSO) is implemented via SAML. I am using Keycloak 26.0.6 locally to simulate the SSO. As part of the setup, I am trying to configure Keycloak to encrypt SAML assertions using AES-128-GCM instead of the default AES-128-CBC.
Below is a snippet of the current SAML response obtained through SAML-Tracer:
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_36c8dd9b03ad45e7acc1f938f69c148d" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> .... </xenc:EncryptedData></saml2:EncryptedAssertion>
I need to encrypt the SAML assertion using AES-128-GCM instead of the default AES-128-CBC to verify if the Service Provider (My Application) can successfully decrypt the SAML assertion. However, I couldn’t find any way to configure Keycloak to achieve this. I am using the master realm. In the Realm Settings, I tried adding a new AES key using the "Add Provider" button, hoping to select the AES-128-GCM algorithm, but without success.
I’ve outlined the issue in detail in my Stack Overflow post here:
https://stackoverflow.com/questions/79251446/configure-keycloak-to-encrypt-saml-assertions-with-aes-128-gcm-instead-of-aes-12
I would greatly appreciate your insights or guidance on resolving this.
Best regards,
Amine Taktak