Hi All,
When trying out SAML SLO with keycloak using Redirect Binding, noticed
that the "SigAlg" GET parameter of the logout response was set to
something like "SHA256withRSA". Quoting from section "3.4.4.1 DEFLATE
Encoding" of the spec,
"The signature algorithm identifier MUST be included as an additional
query string parameter,named SigAlg. The value of this parameter MUST
be a URI that identifies the algorithm used to sign the URL-encoded
SAML protocol message, specified according to [XMLSig] or whatever
specification governs the algorithm"
and libraries such as simplesamlphp and php-saml expect it to be a uri
in the form of "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".
The mismatch causes those libraries to give errors when used with
keycloak idp.
--
Thanks,
Pubudu
Show replies by date