[keycloak-dev] Keycloak and SAML AudienceRestriction

Dmitry Telegin dt at acutus.pro
Thu Aug 2 06:40:51 EDT 2018 

Hi,

It's been SAML time recently in keycloak-dev, so I won't be breaking
the trend... :)

A customer tasked us with configuring Keycloak brokering to the 3rd
party SAML IdP. The IdP doesn't allow for SP metadata import, so the
values have to be configured manually, of which the two are mandatory,
namely Assertion Consumer Service URL and Audience (Entity ID).

While things are crystal clear with ACS URL, there was some
misunderstanding with the Audience parameter. Assuming that it should
be equal to the EntityID of Keycloak (acting as an SP in this case),
we've put it there. After that, while reconfiguring for IdP-initiated
SSO, we have changed the ACS (the /clients/{url-name} suffix is
appended to it), but the question was what to do with Entity ID. By
experiment, we have determined that actually any non-empty value
worked.

The situation is ambiguous, and we need to communicate it to the
customer somehow. The line in the docs "put any non-empty value" 
smells fishy to me. I've found a technical explanation though; the
Audience (Entity ID) value ends up in the AudienceRestriction tag of
the SAML response. While Keycloak's SAML parser is aware of that tag,
it isn't processed in any way (ignored, in other words).

Here's what the SAML spec says on AudienceRestriction:

>  Although a SAML relying party that is outside the audiences
> specified is capable of drawing conclusions from an assertion, the
> SAML asserting party explicitly makes no representation as to
> accuracy or trustworthiness to such a party...
> 
>   ...the <AudienceRestriction> element allows the SAML asserting
> party to state explicitly that no warranty is provided to such a
> party in a machine- and human-readable form. While there can be no
> guarantee that a court would uphold such a warrantyexclusion in every
> circumstance, the probability of upholding the warranty exclusion is
> considerably improved...

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Nothing is said in the spec about if the AudienceRestriction check is
mandatory, so I'd suppose it is optional. Some SAML-enabled software
however implements strict checking, WebLogic being a well-known case.

So it doesn't look like a defect or a security vulnerability, and
shouldn't pose any problems? Wanted to know the stance of the Keycloak
dev team on this.

Thanks in advance!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

More information about the keycloak-dev mailing list