<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
So, you're not using keycloak-server, just our SAML client SP
adapter?<br>
<br>
<a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/saml-client-adapter/html/adapter-config.html#d4e124">http://keycloak.github.io/docs/userguide/saml-client-adapter/html/adapter-config.html#d4e124</a><br>
<br>
You can set the signature algorithm there. The IDP section is
basically describing what the IDP expects when you communicate to
it.<br>
<br>
<div class="moz-cite-prefix">On 2/12/2016 6:43 AM, Akshay Kini
wrote:<br>
</div>
<blockquote
cite="mid:CAFtx=Tnutkf-X-bHjKXuOdiC1kRh-eM67ZnCmJ7ikuNrEEiXRg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi Bill,<br>
<br>
</div>
Thanks for looking into this.<br>
<br>
</div>
The usecase is:<br>
<br>
</div>
Keycloak is an SP and it is sending an AuthnRequest via HTTP
Post. This AuthnRequest is always using RSA-SHA1 for signing.<br>
<br>
</div>
I have configured the Keycloak config file as follows:<br>
<keycloak-saml-adapter><br>
<SP entityID="exampleEntityID"<br>
sslPolicy="NONE"<br>
logoutPage="/logout.jsp"<br>
nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"<br>
forceAuthentication="false"<br>
signatureAlgorithm="RSA_SHA256"><br>
<div><br>
<div>
<div><br>
</div>
<div>In-fact the SP element doesn't have the
"signatureAlgorithm" documented anywhere in the SAML
Client Apapter Reference Guide (it only exists for the
IDP).<br>
<br>
</div>
<div>Now this is a bit of unfamiliar territory for me, but I
looked into the Keycloak Code base (master):<br>
</div>
<div>I see that the
org.keycloak.adapters.saml.config.parsers.SPXmlParser
doesn't deal with
ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while the
IDPXmlParser does. <br>
<br>
</div>
<br>
</div>
<div>Again, thanks for looking into this.<br>
<br>
</div>
<div>P.S. Sorry to all the mailing list subscribers, this
"chain" might get broken despite me changing the subject. I
am not sure how to fix that when using Gmail and subscribing
to a digest mailing-list. Please send a direct e-mail to me
if you know how to fix that.<br>
<br>
</div>
<div>Thanks,<br>
</div>
<div>Regards,<br>
</div>
<div>Akshay <br>
</div>
<div>
<div><br>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Feb 11, 2016 at
7:36 PM, <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:keycloak-user-request@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user-request@lists.jboss.org">keycloak-user-request@lists.jboss.org</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Send
keycloak-user mailing list submissions to<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide
Web, visit<br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
or, via email, send a message with subject or
body 'help' to<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user-request@lists.jboss.org"
target="_blank">keycloak-user-request@lists.jboss.org</a><br>
<br>
You can reach the person managing the list at<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user-owner@lists.jboss.org"
target="_blank">keycloak-user-owner@lists.jboss.org</a><br>
<br>
When replying, please edit your Subject line so
it is more specific<br>
than "Re: Contents of keycloak-user digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: User-Federation (Renann Prado)<br>
2. Re: User-Federation (Renann Prado)<br>
3. Re: Keycloak as a SAML SP: Is it possible
to configure<br>
Keycloak to use RSA-SHA256 as the
algorithm to sign assertions.<br>
(Bill Burke)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 11 Feb 2016 11:16:29 -0200<br>
From: Renann Prado <<a moz-do-not-send="true"
href="mailto:prado.renann@gmail.com"
target="_blank">prado.renann@gmail.com</a>><br>
Subject: Re: [keycloak-user] User-Federation<br>
To: Reed Lewis <<a moz-do-not-send="true"
href="mailto:RLewis@carbonite.com"
target="_blank">RLewis@carbonite.com</a>><br>
Cc: <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAEBys6KM1-n6wFqTJAAqb_aYaQdZwuiaUz2AspF5d-8Za=<a
moz-do-not-send="true"
href="mailto:E9wQ@mail.gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:E9wQ@mail.gmail.com">E9wQ@mail.gmail.com</a></a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Is there any recommended way to make sure these
endpoints won't be spammed<br>
by an attacker? Looks like these endpoints need
to be open to anyone.<br>
<br>
Thanks<br>
On Feb 3, 2016 11:18, "Reed Lewis" <<a
moz-do-not-send="true"
href="mailto:RLewis@carbonite.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a></a>>
wrote:<br>
<br>
> If you use the federation provider listed
here:<br>
><br>
> [0]: <a moz-do-not-send="true"
href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/"
rel="noreferrer" target="_blank">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a><br>
> [1]: <a moz-do-not-send="true"
href="https://github.com/Smartling/keycloak-user-migration-provider"
rel="noreferrer" target="_blank">https://github.com/Smartling/keycloak-user-migration-provider</a><br>
><br>
> You can specify a URL that will be called
when a user needs to be<br>
> validated.<br>
><br>
> There are three requests that need to be
implemented in your sever.<br>
><br>
> GET
<baseURL>/api/users/<username>/<br>
> If the user exists, it should return a 200
with a json object with the<br>
> return type ?application/json? with the
following fields:<br>
> username<br>
> email<br>
> emailVerified<br>
> firstName<br>
> lastName<br>
> roles [?user?]<br>
><br>
> If the user does not exist, return a 404<br>
><br>
> HEAD
<baseURL>/api/users/<username>/<br>
> Always return 200<br>
><br>
> POST
<baseURL>/api/users/<username>/<br>
> The password is posted to you in a json
object.<br>
> Return 200 if the password is OK, 401 if
not. In both cases return no<br>
> data.<br>
><br>
> I wrote a small python module which
implements these methods which works<br>
> quite well.<br>
><br>
> Reed<br>
><br>
> From: <<a moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
target="_blank">keycloak-user-bounces@lists.jboss.org</a>>
on behalf of Stuart Jacobs <<br>
> <a moz-do-not-send="true"
href="mailto:stuart.jacobs@symbiotics.co.za"
target="_blank">stuart.jacobs@symbiotics.co.za</a>><br>
> Date: Wednesday, February 3, 2016 at 2:40
AM<br>
> To: "<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>><br>
> Subject: [keycloak-user] User-Federation<br>
><br>
> Hi Everyone,<br>
><br>
> I have an application that runs on a
postgresql database, keycloak has<br>
> been configured and has created all the
required tables/columns in my<br>
> schema using liquibase on start up of the
keycloak server.<br>
><br>
> I need to authenticate users using the
projects existing user table<br>
> obtaining the username and password from
this table.<br>
><br>
> I have had a look at the federation
provider project under the example<br>
> projects but this still eludes me as to how
I change the keycloak mapping<br>
> to use my own tables in postgress?<br>
><br>
> Can someone please point me in the right
direction or if someone has<br>
> implemented such a solution please share
how you have done it?<br>
><br>
> Thanks everyone.<br>
><br>
> Regards,<br>
> Stuart Jacobs<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> <a moz-do-not-send="true"
href="http://www.symbiotics.co.za"
rel="noreferrer" target="_blank">www.symbiotics.co.za</a><br>
><br>
>
********************************************************************************<br>
> This email and any accompanying attachments
may contain confidential and<br>
> proprietary information. This information
is private and protected by law<br>
> and, accordingly, if you are not the
intended recipient, you are requested<br>
> to delete this entire communication
immediately and are notified that any<br>
> disclosure, copying or distribution of or
taking any action based on this<br>
> information is prohibited.<br>
><br>
> Emails cannot be guaranteed to be secure or
free of errors or viruses. The<br>
> sender does not accept any liability or
responsibility for any<br>
> interception, corruption, destruction,
loss, late arrival or incompleteness<br>
> of or tampering or interference with any of
the information contained in<br>
> this email or for its incorrect delivery or
non-delivery for whatsoever<br>
> reason or for its effect on any electronic
device of the recipient.<br>
><br>
>
********************************************************************************<br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html"
rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 11 Feb 2016 11:17:14 -0200<br>
From: Renann Prado <<a moz-do-not-send="true"
href="mailto:prado.renann@gmail.com"
target="_blank">prado.renann@gmail.com</a>><br>
Subject: Re: [keycloak-user] User-Federation<br>
To: Reed Lewis <<a moz-do-not-send="true"
href="mailto:RLewis@carbonite.com"
target="_blank">RLewis@carbonite.com</a>><br>
Cc: <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAEBys6+i6jFdycaCg-rf9vC=<a
moz-do-not-send="true"
href="mailto:T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com">T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com</a></a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Everyone*<br>
On Feb 11, 2016 11:16, "Renann Prado" <<a
moz-do-not-send="true"
href="mailto:prado.renann@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:prado.renann@gmail.com">prado.renann@gmail.com</a></a>>
wrote:<br>
<br>
> Is there any recommended way to make sure
these endpoints won't be spammed<br>
> by an attacker? Looks like these endpoints
need to be open to anyone.<br>
><br>
> Thanks<br>
> On Feb 3, 2016 11:18, "Reed Lewis" <<a
moz-do-not-send="true"
href="mailto:RLewis@carbonite.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:RLewis@carbonite.com">RLewis@carbonite.com</a></a>>
wrote:<br>
><br>
>> If you use the federation provider
listed here:<br>
>><br>
>> [0]: <a moz-do-not-send="true"
href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/"
rel="noreferrer" target="_blank">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a><br>
>> [1]: <a moz-do-not-send="true"
href="https://github.com/Smartling/keycloak-user-migration-provider"
rel="noreferrer" target="_blank">https://github.com/Smartling/keycloak-user-migration-provider</a><br>
>><br>
>> You can specify a URL that will be
called when a user needs to be<br>
>> validated.<br>
>><br>
>> There are three requests that need to
be implemented in your sever.<br>
>><br>
>> GET
<baseURL>/api/users/<username>/<br>
>> If the user exists, it should return a
200 with a json object with the<br>
>> return type ?application/json? with the
following fields:<br>
>> username<br>
>> email<br>
>> emailVerified<br>
>> firstName<br>
>> lastName<br>
>> roles [?user?]<br>
>><br>
>> If the user does not exist, return a
404<br>
>><br>
>> HEAD
<baseURL>/api/users/<username>/<br>
>> Always return 200<br>
>><br>
>> POST
<baseURL>/api/users/<username>/<br>
>> The password is posted to you in a json
object.<br>
>> Return 200 if the password is OK, 401
if not. In both cases return no<br>
>> data.<br>
>><br>
>> I wrote a small python module which
implements these methods which works<br>
>> quite well.<br>
>><br>
>> Reed<br>
>><br>
>> From: <<a moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
target="_blank">keycloak-user-bounces@lists.jboss.org</a>>
on behalf of Stuart Jacobs<br>
>> <<a moz-do-not-send="true"
href="mailto:stuart.jacobs@symbiotics.co.za"
target="_blank">stuart.jacobs@symbiotics.co.za</a>><br>
>> Date: Wednesday, February 3, 2016 at
2:40 AM<br>
>> To: "<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a>><br>
>> Subject: [keycloak-user]
User-Federation<br>
>><br>
>> Hi Everyone,<br>
>><br>
>> I have an application that runs on a
postgresql database, keycloak has<br>
>> been configured and has created all the
required tables/columns in my<br>
>> schema using liquibase on start up of
the keycloak server.<br>
>><br>
>> I need to authenticate users using the
projects existing user table<br>
>> obtaining the username and password
from this table.<br>
>><br>
>> I have had a look at the federation
provider project under the example<br>
>> projects but this still eludes me as to
how I change the keycloak mapping<br>
>> to use my own tables in postgress?<br>
>><br>
>> Can someone please point me in the
right direction or if someone has<br>
>> implemented such a solution please
share how you have done it?<br>
>><br>
>> Thanks everyone.<br>
>><br>
>> Regards,<br>
>> Stuart Jacobs<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> <a moz-do-not-send="true"
href="http://www.symbiotics.co.za"
rel="noreferrer" target="_blank">www.symbiotics.co.za</a><br>
>><br>
>>
********************************************************************************<br>
>> This email and any accompanying
attachments may contain confidential and<br>
>> proprietary information. This
information is private and protected by law<br>
>> and, accordingly, if you are not the
intended recipient, you are requested<br>
>> to delete this entire communication
immediately and are notified that any<br>
>> disclosure, copying or distribution of
or taking any action based on this<br>
>> information is prohibited.<br>
>><br>
>> Emails cannot be guaranteed to be
secure or free of errors or viruses.<br>
>> The sender does not accept any
liability or responsibility for any<br>
>> interception, corruption, destruction,
loss, late arrival or incompleteness<br>
>> of or tampering or interference with
any of the information contained in<br>
>> this email or for its incorrect
delivery or non-delivery for whatsoever<br>
>> reason or for its effect on any
electronic device of the recipient.<br>
>><br>
>>
********************************************************************************<br>
>><br>
>><br>
>>
_______________________________________________<br>
>> keycloak-user mailing list<br>
>> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
>> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
>><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html"
rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 11 Feb 2016 09:06:49 -0500<br>
From: Bill Burke <<a moz-do-not-send="true"
href="mailto:bburke@redhat.com"
target="_blank">bburke@redhat.com</a>><br>
Subject: Re: [keycloak-user] Keycloak as a SAML
SP: Is it possible to<br>
configure Keycloak to use RSA-SHA256 as
the algorithm to sign<br>
assertions.<br>
To: <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID: <<a moz-do-not-send="true"
href="mailto:56BC9579.8080102@redhat.com"
target="_blank">56BC9579.8080102@redhat.com</a>><br>
Content-Type: text/plain; charset="windows-1252"<br>
<br>
Where? Keycloak Saml SP? Keycloak Server
interaction with an<br>
app/client? Or Keycloak Server acting as an SP
in a broker scenario?<br>
<br>
They all *should* support plugging in the
algorithm. Did you configure<br>
this correctly?<br>
<br>
On 2/11/2016 6:29 AM, Akshay Kini wrote:<br>
> Hi Folks,<br>
><br>
> We are using Keycloak as a SAML SP.<br>
><br>
> I notice that SAML Assertions are signed
using rsa-sha1, could we<br>
> configure it to use RSA-SHA256?<br>
><br>
> Thanks,<br>
> Regards,<br>
> Akshay<br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list<br>
> <a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a moz-do-not-send="true"
href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html"
rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
End of keycloak-user Digest, Vol 26, Issue 56<br>
*********************************************<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>