[keycloak-user] SAML2 exception - Undeclared namespace prefix "dsig"

Michael Mok teatimej at gmail.com
Thu Jun 29 19:56:10 EDT 2017 

Hi there

We are using Keycloak 3.1.0 and when it is processing a SAML response, we
encountered the following error.

08:24:46,541 ERROR [io.undertow.request] (default task-352) UT005023:
Exception handling request to
/auth/realms/dev/login-actions/first-broker-login:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException:
Undeclared namespace prefix "dsig"

 at [row,col {unknown-source}]: [1,338]

at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
ExceptionHandler.java:76)

at org.jboss.resteasy.core.ExceptionHandler.handleException(
ExceptionHandler.java:212)


The "dsig" is declared in the header of the xml but Keycloak does not
appear to recognise it.


Here is the SAML response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                *xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
<http://www.w3.org/2000/09/xmldsig#>"*

                xmlns:enc="http://www.w3.org/2001/04/xmlenc#"

                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

                xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:
attribute:X500"

                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                Destination="https://www.bill.com/auth/realms/dev/broker/
saml/endpoint
<https://www.billview.com.au/auth/realms/billviewdev/broker/saml/endpoint>"

                ID="id--nk-7uGxvonvTG7h8NL09hLwcKIpGZC053Zj-3Cz"

                InResponseTo="ID_0c62fac6-d0d1-487d-91a6-44dd8c6cee16"

                IssueInstant="2017-06-29T00:24:46Z"

                Version="2.0"

                >

    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
http://iamdev.edu/oam/fed</saml:Issuer
<http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>>

    <samlp:Status>

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/>

    </samlp:Status>

    <saml:Assertion ID="id-S80vqfesnCZBogvgpKyOKL2z1I8Y-mlMpAQwVk8q"

                    IssueInstant="2017-06-29T00:24:46Z"

                    Version="2.0"

                    >

        <saml:Issuer Format="urn:oasis:names:tc:
SAML:2.0:nameid-format:entity">http://iamdev.edu/oam/fed</saml:Issuer
<http://iamdev.ecu.edu.au/oam/fed%3c/saml:Issuer>>

        <dsig:Signature>

            <dsig:SignedInfo>

                <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#" />

                <dsig:SignatureMethod Algorithm="http://www.w3.org/
2000/09/xmldsig#rsa-sha1" />

                <dsig:Reference URI="#id-S80vqfesnCZBogvgpKyOKL2z1I8Y-
mlMpAQwVk8q">

                    <dsig:Transforms>

                        <dsig:Transform Algorithm="http://www.w3.org/
2000/09/xmldsig#enveloped-signature" />

                        <dsig:Transform Algorithm="http://www.w3.org/
2001/10/xml-exc-c14n#" />

                    </dsig:Transforms>

                    <dsig:DigestMethod Algorithm="http://www.w3.org/
2000/09/xmldsig#sha1" />

                    <dsig:DigestValue>/9fx72oB3eQ5vDcEJE5q0u43P8k=</
dsig:DigestValue>

                </dsig:Reference>

            </dsig:SignedInfo>

More information about the keycloak-user mailing list