[keycloak-user] Validation of IdP SAML signatures using KeyInfo

[Mark Pardijs]

Hi,

Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here. 

We use a SAML IdP which is configured in Keycloak as federated IdP, and I’ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description “The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).” but in the code, I see that for checking the signatures a “HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.

This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.

My two questions concerning this approach:


 1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I”m facing a NullPointer exception when sending a SAMLResponse without KeyInfo element.
 2.  What’s the idea behind the HardcodedKeyLocator, it doesn’t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?

Hope to hear your thoughts on this!

Mark