8:24 a.m.
Hi,
We use a SAML IdP which is configured in Keycloak as federated IdP, and I’ve a question
concerning the validation of SAML signatures. In Keycloaks Identity provider config page,
the validating X509 Certificates can be configured, with description “The certificate in
PEM format that must be used to check for signatures. Multiple certificates can be
entered, separated by comma (,).” but in the code, I see that for checking the signatures
a hardcoded key locator is used, which does not use the keyName provided in the SAML but
always returns the first configured certificate. See
org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a
HardcodedKeyLocator for details.
This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see
commit
https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c7....
My two questions concerning this approach:
1. Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in
the incoming SAML message, while this is not a required element in the SAML specs. Are
there plans to check the signature against the configured X509 certificates without having
to provide a KeyInfo element, currently I”m facing a NullPointer exception when sending a
SAMLResponse without KeyInfo element.
2. What’s the idea behind the HardcodedKeyLocator, it doesn’t seem to match with the
multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach
which should be extended?
Hope to hear your thoughts on this!
Mark
2:47 a.m.
This mailing list is exclusively dedicated to discussions around
Keycloak development.
Please resend your question to keycloak-user mailing list [1] which is a
place for any questions related to installing, setting up, and using
Keycloak. For item 1, please file a JIRA and state as much details
of NPE and your configuration as possible.
[1] https://lists.jboss.org/mailman/listinfo/keycloak-user
On Fri, Jan 27, 2017 at 3:24 PM, Mark Pardijs <mark.pardijs(a)topicus.nl> wrote:
Hi,
We use a SAML IdP which is configured in Keycloak as federated IdP, and I’ve a question
concerning the validation of SAML signatures. In Keycloaks Identity provider config page,
the validating X509 Certificates can be configured, with description “The certificate in
PEM format that must be used to check for signatures. Multiple certificates can be
entered, separated by comma (,).” but in the code, I see that for checking the signatures
a hardcoded key locator is used, which does not use the keyName provided in the SAML but
always returns the first configured certificate. See
org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a
HardcodedKeyLocator for details.
This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see
commit
https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c7....
My two questions concerning this approach:
1. Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in
the incoming SAML message, while this is not a required element in the SAML specs. Are
there plans to check the signature against the configured X509 certificates without having
to provide a KeyInfo element, currently I”m facing a NullPointer exception when sending a
SAMLResponse without KeyInfo element.
2. What’s the idea behind the HardcodedKeyLocator, it doesn’t seem to match with the
multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach
which should be extended?
Hope to hear your thoughts on this!
Mark
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
--Hynek
2907
days inactive
2910
days old
1 comments
2 participants
participants (2)
-
Hynek Mlnarik -
Mark Pardijs