[keycloak-user] SAML signing AuthnRequest results in invalid_signature (SigAlg was null)

Pierre Dupont pierredupontdal at gmail.com
Mon May 28 04:32:29 EDT 2018 

Hi Luis,

Thank you for your answer. I tried your suggestion, following the provided
example.
My SAML request has changed, but I still get the same error, i.e SigAlg was
null.
My guess is that Keycloak doesn't manage to read the value in the SAML
request.

Here is my SAML request (retrieved with SAML Tracer on Firefox) :
<samlp:AuthnRequest AssertionConsumerServiceURL="..." Destination="..." ID=
"_5c3e604e-7dad-443e-9b10-5cbe2d685081" IssueInstant="2018-05-28T07:26:17Z"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp
="urn:oasis:names:tc:SAML:2.0:protocol" >
<saml:Issuer>...</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<ds:Reference URI="#_5c3e604e-7dad-443e-9b10-5cbe2d685081">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi md"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</samlp:AuthnRequest>

As expected, I have the correct values for SignatureMethod and
DigestMethod. I'm short of ideas.

Thanks in advance,

Pierre

Date: Fri, 25 May 2018 14:39:03 +0200
From: Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
Subject: Re: [keycloak-user] SAML signing AuthnRequest results in
        invalid_signature (SigAlg was null)
To: keycloak-user at lists.jboss.org
Message-ID:
        <CACp70MkD1nWyy600hw-y-ZX8gKqv5RB-gpU_UFE7VAW0_nL2VA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hello Pierre,

mmm, If I am not wrong, usually for signature methods SAML uses the URI
identifier [1]. E.g. my IdP (ADFS) likes "
http://www.w3.org/2000/09/xmldsig#rsa-sha1". You can have look at this
example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a

Hope it helps,

Luis

[1] https://www.w3.org/TR/xmlsec-algorithms/
[2]

More information about the keycloak-user mailing list