[keycloak-user] SAML RSAKeyValue causing error
Hynek Mlnarik
hmlnarik at redhat.com
Wed Oct 3 03:56:59 EDT 2018
Yes, you can set Keycloak not to include KeyInfo via system
property picketlink.xmlsig.includeKeyInfo set to false. This is far from
ideal though since it affects all clients. Feel free to raise a feature
request in JIRA to support this better.
On Wed, Sep 19, 2018 at 7:51 PM Dean Peterson <peterson.dean at gmail.com>
wrote:
> I am having trouble using Keycloak as the external provider to our
> Websphere Application. I received the following response from IBM support:
>
> I discussed the issue with our SAML SSO SME. He found in SAML token,
> besides X509Certificate, it also contains RSAKeyValue (<dsig:RSAKeyValue>).
> This document states:
>
>
> https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_limitationsofsaml.html
>
> .
>
> RSAKeyValue is supported for the KeyInfo element in a Signature. However,
> the X.509 certificate is not available when using RSAKeyValue. When the
> X.509 certificate is not available to the runtime, the signer of the SAML
> Assertion cannot be checked against a truststore. If you want to receive
> SAML Assertions that use RSAKeyValue you cannot configure the runtime to
> use a truststore.
>
> .
>
> Can you config the idP so that it only sends X509 certificate, not RSAKey?
>
>
> Is it possible to remove the RSAKeyValue from the saml token and still send
> just the certificate?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list