[keycloak-user] Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?

Hans Zandbelt hans.zandbelt at zmartzone.eu
Mon Jan 28 09:03:36 EST 2019 

Hi Ed :-),

>From a quick peek at the code [1] it looks like Keycloak re-uses the
per-identity provider setting for signing authentication requests for the
logout requests as well. By setting "Want AuthnRequests Signed" in the
configuration for NetIQ Keycloak should start signing the logout requests
as well.

I believe you are right that the spec requires sending signed logout
requests when using the POST binding.

Let me know if that works,

Hans.

[1]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java#L321

On Mon, Jan 28, 2019 at 12:41 PM <keycloak-user-request at lists.jboss.org>
wrote:

> ------------------------------
>
> Message: 2
> Date: Mon, 28 Jan 2019 11:10:53 +0000
> From: "Edgar Vonk - Info.nl" <Edgar at info.nl>
> Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
>         not working with NetIQ Access Manager because it is not signed?
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID: <82603569-9670-44FD-8D01-9BA5F1998CEF at info.nl>
> Content-Type: text/plain; charset="utf-8"
>
> hi all,
>
> We are trying to set up Keycloak to act as a federated identity provider
> between our (OAuth2-enabled) application and the external SAML 2.0-enabled
> NetIQ Acces Manager identity provider using:
> https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers
>
> The basic setup including authentication works fine. However logging out
> does not. When attempting to logout from our application Keycloak sends a
> SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this
> request because, from what we understand from NetIQ, this request is not
> signed.
>
> It seems that Keycloak does not support sending signed LogoutRequests from
> SAML Identity Providers? Is this indeed the case and how could we go about
> solving this? Maybe create a custom IdentityProvider or possibly send a
> SAML LogoutRequest to NetIQ from our application directly?
>
> Example of SAML LogoutRequest send by Keycloak:
>
> <samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo"
>     ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d"
> IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0"
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>     <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> http://localhost:8080/auth/realms/our-realm</saml:Issuer>
>     <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID>
>     <samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex>
> </samlp:LogoutRequest>
>
>
> I am no expert on SAML at all but this is from the SAML 2.0 specs (
> https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf
> ):
>
> 4.4.4.1 <LogoutRequest> Usage:
>   "The requester MUST authenticate itself to the responder and ensure
> message integrity, either by signing the message or using a
> binding-specific mechanism.?
>
> Should Keycloak not support signing SAML LogoutRequests?
>
> cheers
>
> Edgar
>
>
-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

More information about the keycloak-user mailing list