[keycloak-user] Keycloak as a SAML SP: Is it possible to configure Keycloak to use RSA-SHA256 as the algorithm to sign assertions.

Akshay Kini kga.official at gmail.com
Wed Feb 24 05:18:47 EST 2016 

Hi Bill,

Sorry for the delay in replies.

I am only using Keycloak client SP adapter.

I had already tried your suggested configuration and it doesn't work.
Snippet of my keycloak configuration file:
<IDP entityID="hpsw-idp" signatureAlgorithm="RSA_SHA512"
signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#"
signaturesRequired="true">


So I went further and I spent some time trying to debug the libraries and I
think I found the root cause (please excuse me if I've made a mistake in
the analysis).

I enabled TRACE logging on org.keycloak and couldn't figure out the cause
of the problem due to inadequate logging in the relevant classes.

Instead, I attached a debugger and I saw that the Parser does indeed pick
up the value correctly, but unfortunately the signing side of the library
don't seem to use the new value. I went as far back as
org.keycloak.saml.BaseSAML2BindingBuilder and saw that it's value is not
correctly initialized (see further in mail for root cause).

So, for example in org.keycloak.saml.BaseSAML2BindingBuilder#postBinding()
method a new  BasePostBindingBuilder is created and the constructor itself
is used to sign the document. No where in that call chain, the signing
algorithm is set to anything other than the default. I even tried attaching
a break-point to the "setter" method and can confirm that it isn't called
during the signing.

Here is a guess of the technical problem:
The thread stack snippet is:
org.keycloak.saml.BaseSAML2BindingBuilder#postBinding()
org.keycloak.adapters.saml.SamlUtil#sendSaml()
*org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler (near
line 438) ---
org.keycloak.adapters.saml.AbstractInitiateLogin#sendAuthnRequest() ::: *-->
At this point, the signature information is lost, i.e. we need to modify
this method and include signature information in the method calls. i.e.
deployment.signatureAlgorithm should be passed down to the relevant
methods.


*In case the mailing list is getting a bit difficult to work on this issue,
Could we create a defect in Jira and talk over there? I am pretty sure this
is a defect for the Keycloak as SAML SP case.*


Thanks,
Regards,
Akshay




On Sat, Feb 13, 2016 at 4:43 AM, Bill Burke <bburke at redhat.com> wrote:

> So, you're not using keycloak-server, just our SAML client SP adapter?
>
>
> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/adapter-config.html#d4e124
>
> You can set the signature algorithm there.  The IDP section is basically
> describing what the IDP expects when you communicate to it.
>
>
> On 2/12/2016 6:43 AM, Akshay Kini wrote:
>
> Hi Bill,
>
> Thanks for looking into this.
>
> The usecase is:
>
> Keycloak is an SP and it is sending an AuthnRequest via HTTP Post. This
> AuthnRequest is always using RSA-SHA1 for signing.
>
> I have configured the Keycloak config file as follows:
> <keycloak-saml-adapter>
>     <SP entityID="exampleEntityID"
>         sslPolicy="NONE"
>         logoutPage="/logout.jsp"
>
> nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>         forceAuthentication="false"
>         signatureAlgorithm="RSA_SHA256">
>
>
> In-fact the SP element doesn't have the "signatureAlgorithm" documented
> anywhere in the SAML Client Apapter Reference Guide (it only exists for the
> IDP).
>
> Now this is a bit of unfamiliar territory for me, but I looked into the
> Keycloak Code base (master):
> I see that the org.keycloak.adapters.saml.config.parsers.SPXmlParser
> doesn't deal with ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while the
> IDPXmlParser does.
>
>
> Again, thanks for looking into this.
>
> P.S. Sorry to all the mailing list subscribers, this "chain" might get
> broken despite me changing the subject. I am not sure how to fix that when
> using Gmail and subscribing to a digest mailing-list. Please send a direct
> e-mail to me if you know how to fix that.
>
> Thanks,
> Regards,
> Akshay
>
>
> On Thu, Feb 11, 2016 at 7:36 PM, < <keycloak-user-request at lists.jboss.org>
> keycloak-user-request at lists.jboss.org> wrote:
>
>> Send keycloak-user mailing list submissions to
>>         keycloak-user at lists.jboss.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>> or, via email, send a message with subject or body 'help' to
>>         keycloak-user-request at lists.jboss.org
>>
>> You can reach the person managing the list at
>>         keycloak-user-owner at lists.jboss.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of keycloak-user digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: User-Federation (Renann Prado)
>>    2. Re: User-Federation (Renann Prado)
>>    3. Re: Keycloak as a SAML SP: Is it possible to configure
>>       Keycloak to use RSA-SHA256 as the algorithm to sign assertions.
>>       (Bill Burke)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 11 Feb 2016 11:16:29 -0200
>> From: Renann Prado <prado.renann at gmail.com>
>> Subject: Re: [keycloak-user] User-Federation
>> To: Reed Lewis <RLewis at carbonite.com>
>> Cc: keycloak-user at lists.jboss.org
>> Message-ID:
>>         <CAEBys6KM1-n6wFqTJAAqb_aYaQdZwuiaUz2AspF5d-8Za=
>> <E9wQ at mail.gmail.com>E9wQ at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Is there any recommended way to make sure these endpoints won't be spammed
>> by an attacker? Looks like these endpoints need to be open to anyone.
>>
>> Thanks
>> On Feb 3, 2016 11:18, "Reed Lewis" < <RLewis at carbonite.com>
>> RLewis at carbonite.com> wrote:
>>
>> > If you use the federation provider listed here:
>> >
>> > [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
>> > [1]: https://github.com/Smartling/keycloak-user-migration-provider
>> >
>> > You can specify a URL that will be called when a user needs to be
>> > validated.
>> >
>> > There are three requests that need to be implemented in your sever.
>> >
>> > GET <baseURL>/api/users/<username>/
>> > If the user exists, it should return a 200 with a json object with the
>> > return type ?application/json? with the following fields:
>> > username
>> > email
>> > emailVerified
>> > firstName
>> > lastName
>> > roles [?user?]
>> >
>> > If the user does not exist, return a 404
>> >
>> > HEAD <baseURL>/api/users/<username>/
>> > Always return 200
>> >
>> > POST <baseURL>/api/users/<username>/
>> > The password is posted to you in a json object.
>> > Return 200 if the password is OK, 401 if not.  In both cases return no
>> > data.
>> >
>> > I wrote a small python module which implements these methods which works
>> > quite well.
>> >
>> > Reed
>> >
>> > From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stuart
>> Jacobs <
>> > stuart.jacobs at symbiotics.co.za>
>> > Date: Wednesday, February 3, 2016 at 2:40 AM
>> > To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> > Subject: [keycloak-user] User-Federation
>> >
>> > Hi Everyone,
>> >
>> > I have an application that runs on a postgresql database, keycloak has
>> > been configured and has created all the required tables/columns in my
>> > schema using liquibase on start up of the keycloak server.
>> >
>> > I need to authenticate users using the projects existing user table
>> > obtaining the username and password from this table.
>> >
>> > I have had a look at the federation provider project under the example
>> > projects but this still eludes me as to how I change the keycloak
>> mapping
>> > to use my own tables in postgress?
>> >
>> > Can someone please point me in the right direction or if someone has
>> > implemented such a solution please share how you have done it?
>> >
>> > Thanks everyone.
>> >
>> >   Regards,
>> >   Stuart Jacobs
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > www.symbiotics.co.za
>> >
>> >
>> ********************************************************************************
>> > This email and any accompanying attachments may contain confidential and
>> > proprietary information. This information is private and protected by
>> law
>> > and, accordingly, if you are not the intended recipient, you are
>> requested
>> > to delete this entire communication immediately and are notified that
>> any
>> > disclosure, copying or distribution of or taking any action based on
>> this
>> > information is prohibited.
>> >
>> > Emails cannot be guaranteed to be secure or free of errors or viruses.
>> The
>> > sender does not accept any liability or responsibility for any
>> > interception, corruption, destruction, loss, late arrival or
>> incompleteness
>> > of or tampering or interference with any of the information contained in
>> > this email or for its incorrect delivery or non-delivery for whatsoever
>> > reason or for its effect on any electronic device of the recipient.
>> >
>> >
>> ********************************************************************************
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 11 Feb 2016 11:17:14 -0200
>> From: Renann Prado <prado.renann at gmail.com>
>> Subject: Re: [keycloak-user] User-Federation
>> To: Reed Lewis <RLewis at carbonite.com>
>> Cc: keycloak-user at lists.jboss.org
>> Message-ID:
>>         <CAEBys6+i6jFdycaCg-rf9vC=
>> <T7chbrkKeWsfAbNvC2tidKdhZw at mail.gmail.com>
>> T7chbrkKeWsfAbNvC2tidKdhZw at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Everyone*
>> On Feb 11, 2016 11:16, "Renann Prado" < <prado.renann at gmail.com>
>> prado.renann at gmail.com> wrote:
>>
>> > Is there any recommended way to make sure these endpoints won't be
>> spammed
>> > by an attacker? Looks like these endpoints need to be open to anyone.
>> >
>> > Thanks
>> > On Feb 3, 2016 11:18, "Reed Lewis" < <RLewis at carbonite.com>
>> RLewis at carbonite.com> wrote:
>> >
>> >> If you use the federation provider listed here:
>> >>
>> >> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
>> >> [1]: https://github.com/Smartling/keycloak-user-migration-provider
>> >>
>> >> You can specify a URL that will be called when a user needs to be
>> >> validated.
>> >>
>> >> There are three requests that need to be implemented in your sever.
>> >>
>> >> GET <baseURL>/api/users/<username>/
>> >> If the user exists, it should return a 200 with a json object with the
>> >> return type ?application/json? with the following fields:
>> >> username
>> >> email
>> >> emailVerified
>> >> firstName
>> >> lastName
>> >> roles [?user?]
>> >>
>> >> If the user does not exist, return a 404
>> >>
>> >> HEAD <baseURL>/api/users/<username>/
>> >> Always return 200
>> >>
>> >> POST <baseURL>/api/users/<username>/
>> >> The password is posted to you in a json object.
>> >> Return 200 if the password is OK, 401 if not.  In both cases return no
>> >> data.
>> >>
>> >> I wrote a small python module which implements these methods which
>> works
>> >> quite well.
>> >>
>> >> Reed
>> >>
>> >> From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stuart
>> Jacobs
>> >> <stuart.jacobs at symbiotics.co.za>
>> >> Date: Wednesday, February 3, 2016 at 2:40 AM
>> >> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> >> Subject: [keycloak-user] User-Federation
>> >>
>> >> Hi Everyone,
>> >>
>> >> I have an application that runs on a postgresql database, keycloak has
>> >> been configured and has created all the required tables/columns in my
>> >> schema using liquibase on start up of the keycloak server.
>> >>
>> >> I need to authenticate users using the projects existing user table
>> >> obtaining the username and password from this table.
>> >>
>> >> I have had a look at the federation provider project under the example
>> >> projects but this still eludes me as to how I change the keycloak
>> mapping
>> >> to use my own tables in postgress?
>> >>
>> >> Can someone please point me in the right direction or if someone has
>> >> implemented such a solution please share how you have done it?
>> >>
>> >> Thanks everyone.
>> >>
>> >>   Regards,
>> >>   Stuart Jacobs
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> www.symbiotics.co.za
>> >>
>> >>
>> ********************************************************************************
>> >> This email and any accompanying attachments may contain confidential
>> and
>> >> proprietary information. This information is private and protected by
>> law
>> >> and, accordingly, if you are not the intended recipient, you are
>> requested
>> >> to delete this entire communication immediately and are notified that
>> any
>> >> disclosure, copying or distribution of or taking any action based on
>> this
>> >> information is prohibited.
>> >>
>> >> Emails cannot be guaranteed to be secure or free of errors or viruses.
>> >> The sender does not accept any liability or responsibility for any
>> >> interception, corruption, destruction, loss, late arrival or
>> incompleteness
>> >> of or tampering or interference with any of the information contained
>> in
>> >> this email or for its incorrect delivery or non-delivery for whatsoever
>> >> reason or for its effect on any electronic device of the recipient.
>> >>
>> >>
>> ********************************************************************************
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Thu, 11 Feb 2016 09:06:49 -0500
>> From: Bill Burke <bburke at redhat.com>
>> Subject: Re: [keycloak-user] Keycloak as a SAML SP: Is it possible to
>>         configure Keycloak to use RSA-SHA256 as the algorithm to sign
>>         assertions.
>> To: keycloak-user at lists.jboss.org
>> Message-ID: <56BC9579.8080102 at redhat.com>
>> Content-Type: text/plain; charset="windows-1252"
>>
>> Where?  Keycloak Saml SP?  Keycloak Server interaction with an
>> app/client?  Or Keycloak Server acting as an SP in a broker scenario?
>>
>> They all *should* support plugging in the algorithm.  Did you configure
>> this correctly?
>>
>> On 2/11/2016 6:29 AM, Akshay Kini wrote:
>> > Hi Folks,
>> >
>> > We are using Keycloak as a SAML SP.
>> >
>> > I notice that SAML Assertions are signed using rsa-sha1, could we
>> > configure it to use RSA-SHA256?
>> >
>> > Thanks,
>> > Regards,
>> > Akshay
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html
>>
>> ------------------------------
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> End of keycloak-user Digest, Vol 26, Issue 56
>> *********************************************
>>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160224/0cb58243/attachment-0001.html

More information about the keycloak-user mailing list