Re: [keycloak-user] Issue with SAML AuthnRequest
Hi,
On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodríguez Fernández wrote:
May I ask you what is the client implementation? For my dev
environment,
Thanks for the answer! :-) It is a client built with OpenSAML.
The signature created by it, according to Oxygen12, is valid
(by validing the Base64 encoded SAML Authn Request obtained from WireShark).
If your client uses keycloak, at least in the java adapter you can define
the signatureCanonicalizationMethod, but usually the default one (
http://www.w3.org/2001/10/xml-exc-c14n#) is OK. Check in your client if you
can customize this.
> <ds:SignedInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:Canonic...
>
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:...
>
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></...
>
URI="#46faa8d7-fd71-4c00-8bad-921a5bd9e5c8"><ds:Transforms><ds:Transform
>
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quo...
>
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:...
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256
We do use this C14n algorithm already ...
Uhmm... can it be that the received SOAP is passed through a DocumentBUilderFactory using
Jaxb (thus adding
fake namespaces) or Transforms with some level on indentation that breaks the signature,
in the version 4.8.3?
Thanks!