[keycloak-dev] Support for key rotation in SAML Redirect binding
John Dennis
jdennis at redhat.com
Mon Oct 31 09:56:33 EDT 2016
On 10/31/2016 09:22 AM, Hynek Mlnarik wrote:
> The use case is to support key rotation with SAML, where the realm keys
> are used for signing the assertions, similarly to key rotation support
> for OIDC introduced in 2.3.0 ( KEYCLOAK-905). Hence the keys are bound
> to a particular realm (IdP to SP direction, SP verifies IdP's
> signature), and can be rotated at IdP on demand. IdP can provide
> multiple valid keys for the realm, e.g. current and previous
> certificates for signature validation to allow seamless key rotation.
> Hence key ID information needs to be included with the assertion/message
> to provide hint on which key was used for signing. For details, please
> see comments KEYCLOAK-1881 [including comments].
Yes, I understand the key rotation issue, what I don't understand is why
you need a key id. Both the SP and the IdP can identify the key based on
the entityID in the SAML message. In the case of key rotation there is
an ordered list of keys. You obtain the list based on the entityID and
iterate over the list trying each key in succession.
What value is there in sending the key id in the SAML message? It's an
optimization that only works if each party knows how to interpret that
value and to the best of my knowledge there is no interoperability
mechanism defined for this. Remember it's the receiving party that must
select the correct key to verify the signature or decrypt a message.
Only the sending party can insert the key id into the message, so even
if you included the key id I don't understand what it's accomplishing
because the receiving party would have to interpret that value (the
sending party which knows the key based on ID but it would never see the
key id in a message).
--
John
More information about the keycloak-dev
mailing list