Hello Luis, I checked the XML file, the requestBinding is POST, but that was a good hint : Keycloak is waiting for a SigAlg parameter as an HTTP parameter. I had a parameter (embed_sign) in my SP config which was embedding these parameters in the AuthnRequest instead of passing them as HTTP parameters. However, I got another error, which is an NullPointerException. I think it is the same as this one : https://issues.jboss.org/ browse/KEYCLOAK-7032 It seems the only solution is to use an older version of Keycloak, unless you have a better solution. In any case, thank you for your help and your time. Best regards, Pierre On Mon, May 28, 2018 at 12:17 PM, Luis Rodríguez Fernández < uo67113(a)gmail.com&gt; wrote: > Hello Pierre, > > It looks correct to me, or at least very similar to mine: > https://gist.github.com/lurodrig/0c26b2000a725946b3ecc7994543d918 > > I do think that the problem is that your IdP is expecting a GET for the > authnRequest and what your SP is doing is a POST. What is the value of your > IDP.SingleSignOnService.requestBinding in your keycloak.xml? Me I have > something like this: > > <IDP entityID="idp" > signatureAlgorithm="RSA_SHA256" > signatureCanonicalizationMethod="http://www.w3.org/2001/10/ > xml-exc-c14n#"> > <SingleSignOnService signRequest="true" > validateResponseSignature="true" > validateAssertionSignature="false" > requestBinding="POST" > > Hope it helps, > > Luis > > > > > > 2018-05-28 10:32 GMT+02:00 Pierre Dupont <pierredupontdal(a)gmail.com&gt;: > >> Hi Luis, >> >> Thank you for your answer. I tried your suggestion, following the >> provided >> example. >> My SAML request has changed, but I still get the same error, i.e SigAlg >> was >> null. >> My guess is that Keycloak doesn't manage to read the value in the SAML >> request. >> >> Here is my SAML request (retrieved with SAML Tracer on Firefox) : >> <samlp:AuthnRequest AssertionConsumerServiceURL="..." Destination="..." >> ID= >> "_5c3e604e-7dad-443e-9b10-5cbe2d685081" IssueInstant="2018-05-28T07:26 >> :17Z" >> Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" >> xmlns:samlp >> ="urn:oasis:names:tc:SAML:2.0:protocol" > >> <saml:Issuer>...</saml:Issuer> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod Algorithm=" >> http://www.w3.org/2001/10/xml-exc-c14n#" /> >> <ds:SignatureMethod Algorithm="http://www.w3.org/2 >> 000/09/xmldsig#rsa-sha1" >> /> >> <ds:Reference URI="#_5c3e604e-7dad-443e-9b10-5cbe2d685081"> >> <ds:Transforms> >> <ds:Transform Algorithm=" >> http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> >> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> >> <ec:InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi md" >> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" /> >> </ds:Transform> >> </ds:Transforms> >> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> >> <ds:DigestValue>...</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> <ds:SignatureValue>...</ds:SignatureValue> >> <ds:KeyInfo> >> <ds:X509Data> >> <ds:X509Certificate>...</ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </ds:Signature> >> <samlp:NameIDPolicy AllowCreate="true" Format= >> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> >> </samlp:AuthnRequest> >> >> As expected, I have the correct values for SignatureMethod and >> DigestMethod. I'm short of ideas. >> >> Thanks in advance, >> >> Pierre >> >> Date: Fri, 25 May 2018 14:39:03 +0200 >> From: Luis Rodr?guez Fern?ndez <uo67113(a)gmail.com&gt; >> Subject: Re: [keycloak-user] SAML signing AuthnRequest results in >> invalid_signature (SigAlg was null) >> To: keycloak-user(a)lists.jboss.org >> Message-ID: >> <CACp70MkD1nWyy600hw-y-ZX8gKqv5RB-gpU_UFE7VAW0_nL2VA(a)mail.gm >> ail.com> >> Content-Type: text/plain; charset="UTF-8" >> >> Hello Pierre, >> >> mmm, If I am not wrong, usually for signature methods SAML uses the URI >> identifier [1]. E.g. my IdP (ADFS) likes " >> http://www.w3.org/2000/09/xmldsig#rsa-sha1";. You can have look at this >> example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac >> 3025a >> >> Hope it helps, >> >> Luis >> >> [1] https://www.w3.org/TR/xmlsec-algorithms/ >> [2] >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett >