<div dir="ltr"><div><div><div><div><div><div><div>Hi Bill,<br><br>Sorry for the delay in replies. <br><br></div><div>I am only using Keycloak client SP adapter. <br></div><div><br></div>I had already tried your suggested configuration and it doesn't work. <br></div><div>Snippet of my keycloak configuration file:<br></div><div><IDP entityID="hpsw-idp" signatureAlgorithm="RSA_SHA512" signatureCanonicalizationMethod="<a href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#</a>" signaturesRequired="true"><br><br></div><div><br>So I went further and I spent some time trying to debug the libraries and I think I found the root cause (please excuse me if I've made a mistake in the analysis).<br></div><div><br></div>I enabled TRACE logging on org.keycloak and couldn't figure out the cause of the problem due to inadequate logging in the relevant classes.<br><br>Instead, I attached a debugger and I saw that the Parser does indeed pick up the value correctly, but unfortunately the signing side of the library don't seem to use the new value. I went as far back as org.keycloak.saml.BaseSAML2BindingBuilder and saw that it's value is not correctly initialized (see further in mail for root cause).<br><br></div>So, for example in org.keycloak.saml.BaseSAML2BindingBuilder#postBinding() method a new BasePostBindingBuilder is created and the constructor itself is used to sign the document. No where in that call chain, the signing algorithm is set to anything other than the default. I even tried attaching a break-point to the "setter" method and can confirm that it isn't called during the signing. <br><br></div>Here is a guess of the technical problem:<br>The thread stack snippet is:<br>org.keycloak.saml.BaseSAML2BindingBuilder#postBinding() <br>org.keycloak.adapters.saml.SamlUtil#sendSaml() <br><b>org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler (near line 438) --- org.keycloak.adapters.saml.AbstractInitiateLogin#sendAuthnRequest() ::: </b>--> At this point, the signature information is lost, i.e. we need to
modify this method and include signature information in the method calls. i.e. deployment.signatureAlgorithm should be passed down to the relevant methods. <br></div><div><br><br><b>In case the mailing list is getting a bit difficult to work on this
issue, Could we create a defect in Jira and talk over there? I am pretty
sure this is a defect for the Keycloak as SAML SP case.</b><br><br><br></div>Thanks,<br></div>Regards,<br></div>Akshay<br><div><div><div><div><br><br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 13, 2016 at 4:43 AM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
So, you're not using keycloak-server, just our SAML client SP
adapter?<br>
<br>
<a href="http://keycloak.github.io/docs/userguide/saml-client-adapter/html/adapter-config.html#d4e124" target="_blank">http://keycloak.github.io/docs/userguide/saml-client-adapter/html/adapter-config.html#d4e124</a><br>
<br>
You can set the signature algorithm there. The IDP section is
basically describing what the IDP expects when you communicate to
it.<div><div class="h5"><br>
<br>
<div>On 2/12/2016 6:43 AM, Akshay Kini
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi Bill,<br>
<br>
</div>
Thanks for looking into this.<br>
<br>
</div>
The usecase is:<br>
<br>
</div>
Keycloak is an SP and it is sending an AuthnRequest via HTTP
Post. This AuthnRequest is always using RSA-SHA1 for signing.<br>
<br>
</div>
I have configured the Keycloak config file as follows:<br>
<keycloak-saml-adapter><br>
<SP entityID="exampleEntityID"<br>
sslPolicy="NONE"<br>
logoutPage="/logout.jsp"<br>
nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"<br>
forceAuthentication="false"<br>
signatureAlgorithm="RSA_SHA256"><br>
<div><br>
<div>
<div><br>
</div>
<div>In-fact the SP element doesn't have the
"signatureAlgorithm" documented anywhere in the SAML
Client Apapter Reference Guide (it only exists for the
IDP).<br>
<br>
</div>
<div>Now this is a bit of unfamiliar territory for me, but I
looked into the Keycloak Code base (master):<br>
</div>
<div>I see that the
org.keycloak.adapters.saml.config.parsers.SPXmlParser
doesn't deal with
ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while the
IDPXmlParser does. <br>
<br>
</div>
<br>
</div>
<div>Again, thanks for looking into this.<br>
<br>
</div>
<div>P.S. Sorry to all the mailing list subscribers, this
"chain" might get broken despite me changing the subject. I
am not sure how to fix that when using Gmail and subscribing
to a digest mailing-list. Please send a direct e-mail to me
if you know how to fix that.<br>
<br>
</div>
<div>Thanks,<br>
</div>
<div>Regards,<br>
</div>
<div>Akshay <br>
</div>
<div>
<div><br>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Feb 11, 2016 at
7:36 PM, <span dir="ltr"><<a href="mailto:keycloak-user-request@lists.jboss.org" target="_blank"></a><a href="mailto:keycloak-user-request@lists.jboss.org" target="_blank">keycloak-user-request@lists.jboss.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send
keycloak-user mailing list submissions to<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide
Web, visit<br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
or, via email, send a message with subject or
body 'help' to<br>
<a href="mailto:keycloak-user-request@lists.jboss.org" target="_blank">keycloak-user-request@lists.jboss.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:keycloak-user-owner@lists.jboss.org" target="_blank">keycloak-user-owner@lists.jboss.org</a><br>
<br>
When replying, please edit your Subject line so
it is more specific<br>
than "Re: Contents of keycloak-user digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: User-Federation (Renann Prado)<br>
2. Re: User-Federation (Renann Prado)<br>
3. Re: Keycloak as a SAML SP: Is it possible
to configure<br>
Keycloak to use RSA-SHA256 as the
algorithm to sign assertions.<br>
(Bill Burke)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 11 Feb 2016 11:16:29 -0200<br>
From: Renann Prado <<a href="mailto:prado.renann@gmail.com" target="_blank">prado.renann@gmail.com</a>><br>
Subject: Re: [keycloak-user] User-Federation<br>
To: Reed Lewis <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>><br>
Cc: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAEBys6KM1-n6wFqTJAAqb_aYaQdZwuiaUz2AspF5d-8Za=<a href="mailto:E9wQ@mail.gmail.com" target="_blank"></a><a href="mailto:E9wQ@mail.gmail.com" target="_blank">E9wQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Is there any recommended way to make sure these
endpoints won't be spammed<br>
by an attacker? Looks like these endpoints need
to be open to anyone.<br>
<br>
Thanks<br>
On Feb 3, 2016 11:18, "Reed Lewis" <<a href="mailto:RLewis@carbonite.com" target="_blank"></a><a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>>
wrote:<br>
<br>
> If you use the federation provider listed
here:<br>
><br>
> [0]: <a href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/" rel="noreferrer" target="_blank">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a><br>
> [1]: <a href="https://github.com/Smartling/keycloak-user-migration-provider" rel="noreferrer" target="_blank">https://github.com/Smartling/keycloak-user-migration-provider</a><br>
><br>
> You can specify a URL that will be called
when a user needs to be<br>
> validated.<br>
><br>
> There are three requests that need to be
implemented in your sever.<br>
><br>
> GET
<baseURL>/api/users/<username>/<br>
> If the user exists, it should return a 200
with a json object with the<br>
> return type ?application/json? with the
following fields:<br>
> username<br>
> email<br>
> emailVerified<br>
> firstName<br>
> lastName<br>
> roles [?user?]<br>
><br>
> If the user does not exist, return a 404<br>
><br>
> HEAD
<baseURL>/api/users/<username>/<br>
> Always return 200<br>
><br>
> POST
<baseURL>/api/users/<username>/<br>
> The password is posted to you in a json
object.<br>
> Return 200 if the password is OK, 401 if
not. In both cases return no<br>
> data.<br>
><br>
> I wrote a small python module which
implements these methods which works<br>
> quite well.<br>
><br>
> Reed<br>
><br>
> From: <<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>>
on behalf of Stuart Jacobs <<br>
> <a href="mailto:stuart.jacobs@symbiotics.co.za" target="_blank">stuart.jacobs@symbiotics.co.za</a>><br>
> Date: Wednesday, February 3, 2016 at 2:40
AM<br>
> To: "<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>"
<<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
> Subject: [keycloak-user] User-Federation<br>
><br>
> Hi Everyone,<br>
><br>
> I have an application that runs on a
postgresql database, keycloak has<br>
> been configured and has created all the
required tables/columns in my<br>
> schema using liquibase on start up of the
keycloak server.<br>
><br>
> I need to authenticate users using the
projects existing user table<br>
> obtaining the username and password from
this table.<br>
><br>
> I have had a look at the federation
provider project under the example<br>
> projects but this still eludes me as to how
I change the keycloak mapping<br>
> to use my own tables in postgress?<br>
><br>
> Can someone please point me in the right
direction or if someone has<br>
> implemented such a solution please share
how you have done it?<br>
><br>
> Thanks everyone.<br>
><br>
> Regards,<br>
> Stuart Jacobs<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> <a href="http://www.symbiotics.co.za" rel="noreferrer" target="_blank">www.symbiotics.co.za</a><br>
><br>
>
********************************************************************************<br>
> This email and any accompanying attachments
may contain confidential and<br>
> proprietary information. This information
is private and protected by law<br>
> and, accordingly, if you are not the
intended recipient, you are requested<br>
> to delete this entire communication
immediately and are notified that any<br>
> disclosure, copying or distribution of or
taking any action based on this<br>
> information is prohibited.<br>
><br>
> Emails cannot be guaranteed to be secure or
free of errors or viruses. The<br>
> sender does not accept any liability or
responsibility for any<br>
> interception, corruption, destruction,
loss, late arrival or incompleteness<br>
> of or tampering or interference with any of
the information contained in<br>
> this email or for its incorrect delivery or
non-delivery for whatsoever<br>
> reason or for its effect on any electronic
device of the recipient.<br>
><br>
>
********************************************************************************<br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 11 Feb 2016 11:17:14 -0200<br>
From: Renann Prado <<a href="mailto:prado.renann@gmail.com" target="_blank">prado.renann@gmail.com</a>><br>
Subject: Re: [keycloak-user] User-Federation<br>
To: Reed Lewis <<a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>><br>
Cc: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID:<br>
<CAEBys6+i6jFdycaCg-rf9vC=<a href="mailto:T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com" target="_blank"></a><a href="mailto:T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com" target="_blank">T7chbrkKeWsfAbNvC2tidKdhZw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Everyone*<br>
On Feb 11, 2016 11:16, "Renann Prado" <<a href="mailto:prado.renann@gmail.com" target="_blank"></a><a href="mailto:prado.renann@gmail.com" target="_blank">prado.renann@gmail.com</a>>
wrote:<br>
<br>
> Is there any recommended way to make sure
these endpoints won't be spammed<br>
> by an attacker? Looks like these endpoints
need to be open to anyone.<br>
><br>
> Thanks<br>
> On Feb 3, 2016 11:18, "Reed Lewis" <<a href="mailto:RLewis@carbonite.com" target="_blank"></a><a href="mailto:RLewis@carbonite.com" target="_blank">RLewis@carbonite.com</a>>
wrote:<br>
><br>
>> If you use the federation provider
listed here:<br>
>><br>
>> [0]: <a href="http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/" rel="noreferrer" target="_blank">http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/</a><br>
>> [1]: <a href="https://github.com/Smartling/keycloak-user-migration-provider" rel="noreferrer" target="_blank">https://github.com/Smartling/keycloak-user-migration-provider</a><br>
>><br>
>> You can specify a URL that will be
called when a user needs to be<br>
>> validated.<br>
>><br>
>> There are three requests that need to
be implemented in your sever.<br>
>><br>
>> GET
<baseURL>/api/users/<username>/<br>
>> If the user exists, it should return a
200 with a json object with the<br>
>> return type ?application/json? with the
following fields:<br>
>> username<br>
>> email<br>
>> emailVerified<br>
>> firstName<br>
>> lastName<br>
>> roles [?user?]<br>
>><br>
>> If the user does not exist, return a
404<br>
>><br>
>> HEAD
<baseURL>/api/users/<username>/<br>
>> Always return 200<br>
>><br>
>> POST
<baseURL>/api/users/<username>/<br>
>> The password is posted to you in a json
object.<br>
>> Return 200 if the password is OK, 401
if not. In both cases return no<br>
>> data.<br>
>><br>
>> I wrote a small python module which
implements these methods which works<br>
>> quite well.<br>
>><br>
>> Reed<br>
>><br>
>> From: <<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>>
on behalf of Stuart Jacobs<br>
>> <<a href="mailto:stuart.jacobs@symbiotics.co.za" target="_blank">stuart.jacobs@symbiotics.co.za</a>><br>
>> Date: Wednesday, February 3, 2016 at
2:40 AM<br>
>> To: "<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>"
<<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
>> Subject: [keycloak-user]
User-Federation<br>
>><br>
>> Hi Everyone,<br>
>><br>
>> I have an application that runs on a
postgresql database, keycloak has<br>
>> been configured and has created all the
required tables/columns in my<br>
>> schema using liquibase on start up of
the keycloak server.<br>
>><br>
>> I need to authenticate users using the
projects existing user table<br>
>> obtaining the username and password
from this table.<br>
>><br>
>> I have had a look at the federation
provider project under the example<br>
>> projects but this still eludes me as to
how I change the keycloak mapping<br>
>> to use my own tables in postgress?<br>
>><br>
>> Can someone please point me in the
right direction or if someone has<br>
>> implemented such a solution please
share how you have done it?<br>
>><br>
>> Thanks everyone.<br>
>><br>
>> Regards,<br>
>> Stuart Jacobs<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> <a href="http://www.symbiotics.co.za" rel="noreferrer" target="_blank">www.symbiotics.co.za</a><br>
>><br>
>>
********************************************************************************<br>
>> This email and any accompanying
attachments may contain confidential and<br>
>> proprietary information. This
information is private and protected by law<br>
>> and, accordingly, if you are not the
intended recipient, you are requested<br>
>> to delete this entire communication
immediately and are notified that any<br>
>> disclosure, copying or distribution of
or taking any action based on this<br>
>> information is prohibited.<br>
>><br>
>> Emails cannot be guaranteed to be
secure or free of errors or viruses.<br>
>> The sender does not accept any
liability or responsibility for any<br>
>> interception, corruption, destruction,
loss, late arrival or incompleteness<br>
>> of or tampering or interference with
any of the information contained in<br>
>> this email or for its incorrect
delivery or non-delivery for whatsoever<br>
>> reason or for its effect on any
electronic device of the recipient.<br>
>><br>
>>
********************************************************************************<br>
>><br>
>><br>
>>
_______________________________________________<br>
>> keycloak-user mailing list<br>
>> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
>><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 11 Feb 2016 09:06:49 -0500<br>
From: Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br>
Subject: Re: [keycloak-user] Keycloak as a SAML
SP: Is it possible to<br>
configure Keycloak to use RSA-SHA256 as
the algorithm to sign<br>
assertions.<br>
To: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
Message-ID: <<a href="mailto:56BC9579.8080102@redhat.com" target="_blank">56BC9579.8080102@redhat.com</a>><br>
Content-Type: text/plain; charset="windows-1252"<br>
<br>
Where? Keycloak Saml SP? Keycloak Server
interaction with an<br>
app/client? Or Keycloak Server acting as an SP
in a broker scenario?<br>
<br>
They all *should* support plugging in the
algorithm. Did you configure<br>
this correctly?<br>
<br>
On 2/11/2016 6:29 AM, Akshay Kini wrote:<br>
> Hi Folks,<br>
><br>
> We are using Keycloak as a SAML SP.<br>
><br>
> I notice that SAML Assertions are signed
using rsa-sha1, could we<br>
> configure it to use RSA-SHA256?<br>
><br>
> Thanks,<br>
> Regards,<br>
> Akshay<br>
><br>
><br>
>
_______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
End of keycloak-user Digest, Vol 26, Issue 56<br>
*********************************************<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
</div></div></div>
</blockquote></div><br></div></div></div></div>