Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

keycloak 26.0.7 SAML IDP metadata not signed

73 views
Skip to first unread message

Zdeněk Henek

unread,
Dec 5, 2024, 4:29:49 AM12/5/24
to Keycloak User
Hi,

I would like to have signed SAML metadata provided by Keycloak

I am able configure kyecloak saml wiht my service provider and all works as expected.

I start keycloak locally using docker
docker run -p 8090:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin keycloak/keycloak:26.0.7 start-dev

I configured client and the content of 
is provided but is not signed.
There is missing the Signature section in EntityDescriptor generated by Keycloak:

<EntityDescriptor ID="value1" entityID="value2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <Reference URI="#value1">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>digestValue</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>signedValue</SignatureValue>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                <ds:X509Certificate>certificateOfKeyUsedToSignMetadata</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </Signature>
    <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
        <KeyDescriptor use="signing">
.....
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
.....

followed with signing certificate definition as usual

How could I enable Keycloak SAML 2.0 metadata generating this SignedInfo element in SAML 2.0 XML metadata?

I have tested with docker Keycloak 17.0.1 too, all works but I can't get  IDP (Keycloak) signed metadata url.

How could I add Signature to IDP metadata url?

Thank you.

Regards,
Zdenek Henek



Zdeněk Henek

unread,
Dec 5, 2024, 5:02:06 AM12/5/24
to Keycloak User
Is it possible this is not implemented?

I have checked source code.
Class SignatureType
has method
public void setSignedInfo(SignedInfoType value) {
this.signedInfo = value;
}

but I don't see any use of this method in Keycloak project :(

ZH
Dne čtvrtek 5. prosince 2024 v 9:29:49 UTC uživatel Zdeněk Henek napsal:

Zdeněk Henek

unread,
Dec 10, 2024, 12:47:14 PM12/10/24
to Keycloak User
HI,

I managed to sign the xml manually using xmlsectool, my service providers allow import IDP metadata as xml file or I could host the file on any http end point if needed and login process works now same way as with ADFS IDP.

What forum should I use to discuss SAML metadata signature implementation? Looks like this is not implemented.

Is there a better place to open this question?

Thanks.

Regards,
Zdenek Henek

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/wpBDgYITego/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/8acf5138-7b35-4191-99e8-756d089a37ben%40googlegroups.com.

Zdeněk Henek

unread,
Dec 10, 2024, 1:23:43 PM12/10/24
to Keycloak User
hi,

I found opened issue for not signed SAML IDP metadata https://github.com/keycloak/keycloak/issues/34132

ZH

Dne úterý 10. prosince 2024 v 17:47:14 UTC uživatel Zdeněk Henek napsal:
Reply all
Reply to author
Forward
0 new messages