Re: [keycloak-dev] Keycloak and SAML AudienceRestriction

Hi, It's been SAML time recently in keycloak-dev, so I won't be breaking the trend... :) A customer tasked us with configuring Keycloak brokering to the 3rd party SAML IdP. The IdP doesn't allow for SP metadata import, so the values have to be configured manually, of which the two are mandatory, namely Assertion Consumer Service URL and Audience (Entity ID). While things are crystal clear with ACS URL, there was some misunderstanding with the Audience parameter. Assuming that it should be equal to the EntityID of Keycloak (acting as an SP in this case), we've put it there. After that, while reconfiguring for IdP-initiated SSO, we have changed the ACS (the /clients/{url-name} suffix is appended to it), but the question was what to do with Entity ID. By experiment, we have determined that actually any non-empty value worked. The situation is ambiguous, and we need to communicate it to the customer somehow. The line in the docs "put any non-empty value" smells fishy to me. I've found a technical explanation though; the Audience (Entity ID) value ends up in the AudienceRestriction tag of the SAML response. While Keycloak's SAML parser is aware of that tag, it isn't processed in any way (ignored, in other words). Here's what the SAML spec says on AudienceRestriction: > Although a SAML relying party that is outside the audiences > specified is capable of drawing conclusions from an assertion, the > SAML asserting party explicitly makes no representation as to > accuracy or trustworthiness to such a party... > > ...the <AudienceRestriction> element allows the SAML asserting > party to state explicitly that no warranty is provided to such a > party in a machine- and human-readable form. While there can be no > guarantee that a court would uphold such a warrantyexclusion in every > circumstance, the probability of upholding the warranty exclusion is > considerably improved... http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Nothing is said in the spec about if the AudienceRestriction check is mandatory, so I'd suppose it is optional. Some SAML-enabled software however implements strict checking, WebLogic being a well-known case. So it doesn't look like a defect or a security vulnerability, and shouldn't pose any problems? Wanted to know the stance of the Keycloak dev team on this. Thanks in advance! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev