<div dir="ltr"><div><div><div><div>Hi Bill,<br><br></div>Thanks for looking into this.<br><br></div>The usecase is:<br><br></div>Keycloak is an SP and it is sending an AuthnRequest via HTTP Post. This AuthnRequest is always using RSA-SHA1 for signing.<br><br></div>I have configured the Keycloak config file as follows:<br><keycloak-saml-adapter><br> <SP entityID="exampleEntityID"<br> sslPolicy="NONE"<br> logoutPage="/logout.jsp"<br> nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"<br> forceAuthentication="false"<br> signatureAlgorithm="RSA_SHA256"><br><div><br><div><div><br></div><div>In-fact the SP element doesn't have the "signatureAlgorithm" documented anywhere in the SAML Client Apapter Reference Guide (it only exists for the IDP).<br><br></div><div>Now this is a bit of unfamiliar territory for me, but I looked into the Keycloak Code base (master):<br></div><div>I see that the org.keycloak.adapters.saml.config.parsers.SPXmlParser doesn't deal with ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while the IDPXmlParser does. <br><br></div><br></div><div>Again, thanks for looking into this.<br><br></div><div>P.S. Sorry to all the mailing list subscribers, this "chain" might get broken despite me changing the subject. I am not sure how to fix that when using Gmail and subscribing to a digest mailing-list. Please send a direct e-mail to me if you know how to fix that.<br><br></div><div>Thanks,<br></div><div>Regards,<br></div><div>Akshay <br></div><div><div><br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 11, 2016 at 7:36 PM, <span dir="ltr"><<a href="mailto:keycloak-user-request@lists.jboss.org" target="_blank">keycloak-user-request@lists.jboss.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send keycloak-user mailing list submissions to<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:keycloak-user-request@lists.jboss.org" target="_blank">keycloak-user-request@lists.jboss.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:keycloak-user-owner@lists.jboss.org" target="_blank">keycloak-user-owner@lists.jboss.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of keycloak-user digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: User-Federation (Renann Prado)<br>
2. Re: User-Federation (Renann Prado)<br>
3. Re: Keycloak as a SAML SP: Is it possible to configure<br>
Keycloak to use RSA-SHA256 as the algorithm to sign assertions.<br>
(Bill Burke)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 11 Feb 2016 11:16:29 -0200<br>
From: Renann Prado <<a href="mailto:prado.renann@gmail.com" target="_blank">prado.renann@gmail.com</a>><br>
Subject: Re: [keycloak-user] User-Federation<br>
To: Reed Lewis <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>><br>
Cc: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAEBys6KM1-n6wFqTJAAqb_aYaQdZwuiaUz2AspF5d-8Za=<a href="mailto:E9wQ@mail.gmail.com" target="_blank">E9wQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Is there any recommended way to make sure these endpoints won't be spammed<br>
by an attacker? Looks like these endpoints need to be open to anyone.<br>
<br>
Thanks<br>
On Feb 3, 2016 11:18, "Reed Lewis" <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>> wrote:<br>
<br>
> If you use the federation provider listed here:<br>
><br>
> [0]: <a href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/" rel="noreferrer" target="_blank">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a><br>
> [1]: <a href="https://github.com/Smartling/keycloak-user-migration-provider" rel="noreferrer" target="_blank">https://github.com/Smartling/keycloak-user-migration-provider</a><br>
><br>
> You can specify a URL that will be called when a user needs to be<br>
> validated.<br>
><br>
> There are three requests that need to be implemented in your sever.<br>
><br>
> GET <baseURL>/api/users/<username>/<br>
> If the user exists, it should return a 200 with a json object with the<br>
> return type ?application/json? with the following fields:<br>
> username<br>
> email<br>
> emailVerified<br>
> firstName<br>
> lastName<br>
> roles [?user?]<br>
><br>
> If the user does not exist, return a 404<br>
><br>
> HEAD <baseURL>/api/users/<username>/<br>
> Always return 200<br>
><br>
> POST <baseURL>/api/users/<username>/<br>
> The password is posted to you in a json object.<br>
> Return 200 if the password is OK, 401 if not. In both cases return no<br>
> data.<br>
><br>
> I wrote a small python module which implements these methods which works<br>
> quite well.<br>
><br>
> Reed<br>
><br>
> From: <<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Stuart Jacobs <<br>
> <a href="mailto:stuart.jacobs@symbiotics.co.za" target="_blank">stuart.jacobs@symbiotics.co.za</a>><br>
> Date: Wednesday, February 3, 2016 at 2:40 AM<br>
> To: "<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
> Subject: [keycloak-user] User-Federation<br>
><br>
> Hi Everyone,<br>
><br>
> I have an application that runs on a postgresql database, keycloak has<br>
> been configured and has created all the required tables/columns in my<br>
> schema using liquibase on start up of the keycloak server.<br>
><br>
> I need to authenticate users using the projects existing user table<br>
> obtaining the username and password from this table.<br>
><br>
> I have had a look at the federation provider project under the example<br>
> projects but this still eludes me as to how I change the keycloak mapping<br>
> to use my own tables in postgress?<br>
><br>
> Can someone please point me in the right direction or if someone has<br>
> implemented such a solution please share how you have done it?<br>
><br>
> Thanks everyone.<br>
><br>
> Regards,<br>
> Stuart Jacobs<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> <a href="http://www.symbiotics.co.za" rel="noreferrer" target="_blank">www.symbiotics.co.za</a><br>
><br>
> ********************************************************************************<br>
> This email and any accompanying attachments may contain confidential and<br>
> proprietary information. This information is private and protected by law<br>
> and, accordingly, if you are not the intended recipient, you are requested<br>
> to delete this entire communication immediately and are notified that any<br>
> disclosure, copying or distribution of or taking any action based on this<br>
> information is prohibited.<br>
><br>
> Emails cannot be guaranteed to be secure or free of errors or viruses. The<br>
> sender does not accept any liability or responsibility for any<br>
> interception, corruption, destruction, loss, late arrival or incompleteness<br>
> of or tampering or interference with any of the information contained in<br>
> this email or for its incorrect delivery or non-delivery for whatsoever<br>
> reason or for its effect on any electronic device of the recipient.<br>
><br>
> ********************************************************************************<br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 11 Feb 2016 11:17:14 -0200<br>
From: Renann Prado <<a href="mailto:prado.renann@gmail.com" target="_blank">prado.renann@gmail.com</a>><br>
Subject: Re: [keycloak-user] User-Federation<br>
To: Reed Lewis <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>><br>
Cc: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAEBys6+i6jFdycaCg-rf9vC=<a href="mailto:T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com" target="_blank">T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Everyone*<br>
On Feb 11, 2016 11:16, "Renann Prado" <<a href="mailto:prado.renann@gmail.com" target="_blank">prado.renann@gmail.com</a>> wrote:<br>
<br>
> Is there any recommended way to make sure these endpoints won't be spammed<br>
> by an attacker? Looks like these endpoints need to be open to anyone.<br>
><br>
> Thanks<br>
> On Feb 3, 2016 11:18, "Reed Lewis" <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>> wrote:<br>
><br>
>> If you use the federation provider listed here:<br>
>><br>
>> [0]: <a href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/" rel="noreferrer" target="_blank">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a><br>
>> [1]: <a href="https://github.com/Smartling/keycloak-user-migration-provider" rel="noreferrer" target="_blank">https://github.com/Smartling/keycloak-user-migration-provider</a><br>
>><br>
>> You can specify a URL that will be called when a user needs to be<br>
>> validated.<br>
>><br>
>> There are three requests that need to be implemented in your sever.<br>
>><br>
>> GET <baseURL>/api/users/<username>/<br>
>> If the user exists, it should return a 200 with a json object with the<br>
>> return type ?application/json? with the following fields:<br>
>> username<br>
>> email<br>
>> emailVerified<br>
>> firstName<br>
>> lastName<br>
>> roles [?user?]<br>
>><br>
>> If the user does not exist, return a 404<br>
>><br>
>> HEAD <baseURL>/api/users/<username>/<br>
>> Always return 200<br>
>><br>
>> POST <baseURL>/api/users/<username>/<br>
>> The password is posted to you in a json object.<br>
>> Return 200 if the password is OK, 401 if not. In both cases return no<br>
>> data.<br>
>><br>
>> I wrote a small python module which implements these methods which works<br>
>> quite well.<br>
>><br>
>> Reed<br>
>><br>
>> From: <<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Stuart Jacobs<br>
>> <<a href="mailto:stuart.jacobs@symbiotics.co.za" target="_blank">stuart.jacobs@symbiotics.co.za</a>><br>
>> Date: Wednesday, February 3, 2016 at 2:40 AM<br>
>> To: "<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>" <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
>> Subject: [keycloak-user] User-Federation<br>
>><br>
>> Hi Everyone,<br>
>><br>
>> I have an application that runs on a postgresql database, keycloak has<br>
>> been configured and has created all the required tables/columns in my<br>
>> schema using liquibase on start up of the keycloak server.<br>
>><br>
>> I need to authenticate users using the projects existing user table<br>
>> obtaining the username and password from this table.<br>
>><br>
>> I have had a look at the federation provider project under the example<br>
>> projects but this still eludes me as to how I change the keycloak mapping<br>
>> to use my own tables in postgress?<br>
>><br>
>> Can someone please point me in the right direction or if someone has<br>
>> implemented such a solution please share how you have done it?<br>
>><br>
>> Thanks everyone.<br>
>><br>
>> Regards,<br>
>> Stuart Jacobs<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> <a href="http://www.symbiotics.co.za" rel="noreferrer" target="_blank">www.symbiotics.co.za</a><br>
>><br>
>> ********************************************************************************<br>
>> This email and any accompanying attachments may contain confidential and<br>
>> proprietary information. This information is private and protected by law<br>
>> and, accordingly, if you are not the intended recipient, you are requested<br>
>> to delete this entire communication immediately and are notified that any<br>
>> disclosure, copying or distribution of or taking any action based on this<br>
>> information is prohibited.<br>
>><br>
>> Emails cannot be guaranteed to be secure or free of errors or viruses.<br>
>> The sender does not accept any liability or responsibility for any<br>
>> interception, corruption, destruction, loss, late arrival or incompleteness<br>
>> of or tampering or interference with any of the information contained in<br>
>> this email or for its incorrect delivery or non-delivery for whatsoever<br>
>> reason or for its effect on any electronic device of the recipient.<br>
>><br>
>> ********************************************************************************<br>
>><br>
>><br>
>> _______________________________________________<br>
>> keycloak-user mailing list<br>
>> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
>><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 11 Feb 2016 09:06:49 -0500<br>
From: Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br>
Subject: Re: [keycloak-user] Keycloak as a SAML SP: Is it possible to<br>
configure Keycloak to use RSA-SHA256 as the algorithm to sign<br>
assertions.<br>
To: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID: <<a href="mailto:56BC9579.8080102@redhat.com" target="_blank">56BC9579.8080102@redhat.com</a>><br>
Content-Type: text/plain; charset="windows-1252"<br>
<br>
Where? Keycloak Saml SP? Keycloak Server interaction with an<br>
app/client? Or Keycloak Server acting as an SP in a broker scenario?<br>
<br>
They all *should* support plugging in the algorithm. Did you configure<br>
this correctly?<br>
<br>
On 2/11/2016 6:29 AM, Akshay Kini wrote:<br>
> Hi Folks,<br>
><br>
> We are using Keycloak as a SAML SP.<br>
><br>
> I notice that SAML Assertions are signed using rsa-sha1, could we<br>
> configure it to use RSA-SHA256?<br>
><br>
> Thanks,<br>
> Regards,<br>
> Akshay<br>
><br>
><br>
> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
End of keycloak-user Digest, Vol 26, Issue 56<br>
*********************************************<br>
</blockquote></div><br></div></div></div></div></div></div></div>