8:03 a.m.
Hi Ed :-),
From a quick peek at the code [1] it looks like Keycloak re-uses the
per-identity provider setting for signing authentication requests for the
logout requests as well. By setting "Want AuthnRequests Signed" in the
configuration for NetIQ Keycloak should start signing the logout requests
as well.
I believe you are right that the spec requires sending signed logout
requests when using the POST binding.
Let me know if that works,
Hans.
[1]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
On Mon, Jan 28, 2019 at 12:41 PM <keycloak-user-request(a)lists.jboss.org>
wrote:
------------------------------
Message: 2
Date: Mon, 28 Jan 2019 11:10:53 +0000
From: "Edgar Vonk - Info.nl" <Edgar(a)info.nl>
Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
not working with NetIQ Access Manager because it is not signed?
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Message-ID: <82603569-9670-44FD-8D01-9BA5F1998CEF(a)info.nl>
Content-Type: text/plain; charset="utf-8"
hi all,
We are trying to set up Keycloak to act as a federated identity provider
between our (OAuth2-enabled) application and the external SAML 2.0-enabled
NetIQ Acces Manager identity provider using:
https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-id...
The basic setup including authentication works fine. However logging out
does not. When attempting to logout from our application Keycloak sends a
SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this
request because, from what we understand from NetIQ, this request is not
signed.
It seems that Keycloak does not support sending signed LogoutRequests from
SAML Identity Providers? Is this indeed the case and how could we go about
solving this? Maybe create a custom IdentityProvider or possibly send a
SAML LogoutRequest to NetIQ from our application directly?
Example of SAML LogoutRequest send by Keycloak:
<samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo"
ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d"
IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
http://localhost:8080/auth/realms/our-realm</saml:Issuer>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID>
<samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex>
</samlp:LogoutRequest>
I am no expert on SAML at all but this is from the SAML 2.0 specs (
https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profil...
):
4.4.4.1 <LogoutRequest> Usage:
"The requester MUST authenticate itself to the responder and ensure
message integrity, either by signing the message or using a
binding-specific mechanism.?
Should Keycloak not support signing SAML LogoutRequests?
cheers
Edgar
--
hans.zandbelt(a)zmartzone.eu
ZmartZone IAM - www.zmartzone.eu