[keycloak-user] SAML signing AuthnRequest results in invalid_signature (SigAlg was null)

Hi Luis, Thank you for your answer. I tried your suggestion, following the provided example. My SAML request has changed, but I still get the same error, i.e SigAlg was null. My guess is that Keycloak doesn't manage to read the value in the SAML request. Here is my SAML request (retrieved with SAML Tracer on Firefox) : <samlp:AuthnRequest AssertionConsumerServiceURL="..." Destination="..." ID= "_5c3e604e-7dad-443e-9b10-5cbe2d685081" IssueInstant="2018-05-28T07:26:17Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp ="urn:oasis:names:tc:SAML:2.0:protocol" > <saml:Issuer>...</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=" http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_5c3e604e-7dad-443e-9b10-5cbe2d685081"> <ds:Transforms> <ds:Transform Algorithm=" http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi md" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>...</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:NameIDPolicy AllowCreate="true" Format= "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </samlp:AuthnRequest> As expected, I have the correct values for SignatureMethod and DigestMethod. I'm short of ideas. Thanks in advance, Pierre Date: Fri, 25 May 2018 14:39:03 +0200 From: Luis Rodr?guez Fern?ndez <uo67113(a)gmail.com&gt; Subject: Re: [keycloak-user] SAML signing AuthnRequest results in invalid_signature (SigAlg was null) To: keycloak-user(a)lists.jboss.org Message-ID: <CACp70MkD1nWyy600hw-y-ZX8gKqv5RB-gpU_UFE7VAW0_nL2VA(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" Hello Pierre, mmm, If I am not wrong, usually for signature methods SAML uses the URI identifier [1]. E.g. my IdP (ADFS) likes " http://www.w3.org/2000/09/xmldsig#rsa-sha1";. You can have look at this example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a Hope it helps, Luis [1] https://www.w3.org/TR/xmlsec-algorithms/ [2]