[keycloak-dev] Support for key rotation in SAML Redirect binding

John Dennis jdennis at redhat.com
Tue Nov 1 11:23:05 EDT 2016 

On 11/01/2016 05:04 AM, Stian Thorgersen wrote:
> Hynek - your responses seems to be missing the list. Maybe you didn't
> use reply to all?
>
> If SAML is missing a standard way to specify an id for the keys used
> that's just stupid IMO. Signature validation is expensive and if there
> are multiple keys available it would be plain stupid to have to iterate
> over all to check. Granted in most cases we're only talking about a few
> keys.
>
> Sounds like the extensions approach is the best one. The id should be
> within the assertion and not passed separately.
>
> John - Keycloak has SP libraries as well, so this is an
> extension/optimalization that our adapters can use. Do other SP libs
> (i.e. mod_auth_mellon) go through the list of keys in order? If so we
> just need to make sure the list is sorted by most recent (and active
> key) first so there's a high probability the first key is the correct
> one. With regards to federation not sure what your comment that the
> instances needs to share keys is about. One IdP has a list of keys and
> the other IdP needs to figure out which of the keys are the correct one
> for an assertion.

1) SAML does have a mechanism to transmit a keyID, just not in the 
singular case when the HTTP-Redirect binding is used. The reason being 
the SAML message is transmitted as a URL query parameter which has 
practical length limitations. I believe OAuth and OIDC, in conjunction 
with JOSE, JWT etc. have similar restrictions to accommodate URL length 
constraints (sorry, can't give you pointers right off the top of my head 
for these other protocols).

2) In the singular case of the HTTP-Redirect binding you can still sign 
the AuthnRequest but unlike all other SAML protocol messages there is no 
official way to include a keyID. This was Hynek's issue/question.

3) The HTTP-Redirect binding is typically used to send a AuthnRequest 
from a SP to an IdP. It's not the only SAML binding you can use to 
transmit an AuthnRequest from a SP to an IdP, you can also use the 
HTTP-POST or SOAP bindings which do not have the length constraint 
imposed by the HTTP-Redirect binding.

4) Using another binding will not work for standard Web SSO because the 
flow is different. But that's OK because the proposed mechanism will 
only work with cooperating entities, e.g. both the SP and the IdP are 
Keycloak implementations. But since this is proposed only for KC to KC 
you're free to use whatever binding you want.

5) The only SAML message of concern here is AuthnRequest because only 
the HTTP-Redirect binding is affected by the keyID limitation. Although 
I believe it's legal to pass other SAML messages in a HTTP-Redirect 
binding I'm not aware of any such usage, so this is a very specific case.

6) My comment about instances sharing keys (actually keyID's) was in 
reference to the fact *both* parties have to know the keyID so you need 
a mechanism to share that information, the entity metadata is the best 
mechanism, but you could also do it via some out of band mechanism.

7) The period of time during in which multiple keys are in effect is 
expected to be relatively short. The chance of selecting the correct key 
on first attempt is high. The keyID issue affects only one protocol 
message. The lack of a keyID affects only KC to KC messages. Add all 
these together and you've got a very narrow case you're trying to 
optimize for. Is this where you need to be spending your optimization 
efforts? However this is an easy solution and goes directly to Hynek's 
question/issue, see next ...

8) I believe adding the keyID as an additional query parameter for 
HTTP-Redirect is the easiest and cleanest solution. SAML does not 
prohibit additional query parameters. Query parameters are consistent 
with the rest of the HTTP-Redirect binding. Of course one has to be 
careful concerning the total URL length. Of course you could also use a 
different binding as per item 3 because this is a KC to KC case.

9) Mellon does not currently support key rotation, It would be an RFE. 
but one we would be interested in implementing. Actually I don't think 
it would be implemented in mellon, rather it would need to be 
implemented in the lasso library that mellon uses for SAML. While doing 
that work we could also make sure keyID's are utilized.

10) I believe Shibboleth v3 supports key rotation, if so it would be 
valuable to see how they approached the problem.



-- 
John

More information about the keycloak-dev mailing list