[keycloak-user] Encrypt samlp:Response with Keycloak

Hynek Mlnarik hmlnarik at redhat.com
Wed Apr 19 09:11:52 EDT 2017 

[re-adding list]

On 04/19/2017 02:47 PM, Metehan Selvi wrote:
> Hi,
> in fact it is the second option:
> Keycloak as IdP for sales-post-enc SP ( both on the same wildfly/keycloak instance) with OpenAM as brokered idP :
> 
> - I deployed sales-post-enc with mvn clean package wildfly:deploy option,
> - I entered the admin console and inside the saml-demo realm, I imported the OpenAm IDPSSODescriptor
> - On the tab Export (from Menu Identity Providers) I took the SPSSODescriptor - Section under the Download Button and imported keycloak as remote SP on the OpenAm - Login Site.
> What I found strange is that there is no KeyDescriptor for encryption, only for signing.
> 
> ( Also there is no KeyDescriptor for enrycption in the SPSSODescriptor for Clients when Enrypt Assertions is enabled and there are EncrptionKey and SigningKey available)

Please file an issue in Keycloak JIRA.

> The 500 HTTP-Error occurs on OpenAM site when Encryption is enabled on the IDP and before the SAML Response is generated.
> If Encryption is disabled on OpenAM, the SAML Responses are generated correctly without Errors.

500 is not thrown in Keycloak and the SAML response [to be generated by OpenAM] does not get to Keycloak either. Hence I believe OpenAM support is the correct target audience. Please share further details (e.g. the exception) if you find out that the issue is specific to Keycloak communication with OpenAM.

Thanks

--Hynek

> 
> Cheers
> 
> 
> On Wed, Apr 19, 2017 at 9:17 AM, Hynek Mlnarik <hmlnarik at redhat.com <mailto:hmlnarik at redhat.com>> wrote:
> 
>     On Tue, Apr 18, 2017 at 3:04 PM, Metehan Selvi <mselvi78 at gmail.com <mailto:mselvi78 at gmail.com>> wrote:
>     > Hi there,
>     > I configured OpenAM as IDP and Keycloak as SP together.
>     > I use the sales-post-enc - example App.
> 
>     Do you mean using Keycloak adapters as SP and OpenAM as IdP, or OpenAM
>     as brokered IdP while using Keycloak as IdP for sales-post-enc SP?
> 
>     > SAML-AuthnRequests and SAML-Repsonses are working.
>     > ( Encryption disabled)
>     >
>     > When I enable Encrpytion in OpenAM and in the app, the SAML Repsonses
>     > cannot be encrypted in OpenAM as it throws Exceptions with Http 500
>     > Responses.
> 
>     Is it OpenAM or Keycloak returning HTTP 500 error? If Keycloak, can
>     you share details of the exception?
> 
>     > How do I get out from the Problem ?
>     >
>     > When I want to export the SPSSODescriptor form Keycloak for the OpenAM IDP,
>     > it contains only the KeyDescriptor for Signing. Normally it should be also
>     > possible to export the KeyDescriptor for encryption. Is this maybe the
>     > failure?
>     >
>     > Other ideas to get rid of the problem.. ?!
>     >
>     > Cheers
>     > Metehan Selvi
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
>     --
> 
>     --Hynek
> 
>

More information about the keycloak-user mailing list