[keycloak-user] SAML signing AuthnRequest results in invalid_signature (SigAlg was null)
John Dennis
jdennis at redhat.com
Thu May 31 11:08:39 EDT 2018
On 05/25/2018 06:03 AM, Pierre Dupont wrote:
> Hi everyone,
>
> I'm using Keycloak 4.0.0.Beta2, and I'm trying to sign AuthnRequests from a
> Service Provider (Ruby Omniauth) to Keycloak.
>
> On Keycloak, I have set the "Client Signature Required" to On.
>
> I have set Ominauth parameters with the following values :
> "security" => {
> "authn_requests_signed" => true,
> "embed_sign" => true,
> "digest_method" => "XMLSecurity::Document::SHA1",
> "signature_method" => "XMLSecurity::Document::RSA_SHA1",
> }
>
> I also have copied-pasted the SAML keys from Keycloak to the SP.
>
> When initiating a SAML request at the SP, I am redirected to an error page
> with "Invalid requester" on Keycloak.
> In the logs, I got the following :
> 08:49:19,057 ERROR [org.keycloak.protocol.saml.SamlService] (default
> task-64) request validation failed: org.keycloak.common.VerificationException:
> SigAlg was null
> at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(
> SamlProtocolUtils.java:135)
> at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
> verifySignature(SamlService.java:518)
> at org.keycloak.protocol.saml.SamlService$BindingProtocol.
> handleSamlRequest(SamlService.java:233)
> ...
> 08:49:19,058 WARN [org.keycloak.events] (default task-64)
> type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
> ipAddress=10.42.128.4, error=invalid_signature
>
> It seems that Keycloak can't read the Signature Algorithm value. I checked
> the SAML data, and the SignatureMethod is set :
> <ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />
>
> I checked my parameters, certificates (tried to use new ones), but I always
> get this error.
>
> What am I doing wrong ? Does anyone managed to sign their AuthnRequests or
> encountered the same errors ? I haven't found anything similar on the
> internet.
The value you're sending for SignatureAlgorithm is bogus. Refer to the
xml signature spec for valid values:
https://www.w3.org/TR/xmldsig-core/#sec-SignatureAlg
--
John Dennis
More information about the keycloak-user
mailing list