Re: [keycloak-user] SAML Assertion Signature Algorithm Validation

Hi, I'm currently testing different SAML signature algorithms with our application and I noticed that regardless of the chosen signature algorithm for a SAML client, Keycloak will accept assertions signed with another algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP). With many other IdPs, when a signature algorithm is chosen, there's a validation that the same algorithm is used in both directions. I think this is something that Keycloak should do too as a security measure. Can this be done right now or an enhancement request would be required? Thanks, -- Gabriel Lavoie glavoie(a)gmail.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user