[keycloak-dev] Keycloak and SAML AudienceRestriction
Hynek Mlnarik
hmlnarik at redhat.com
Wed Aug 8 08:35:06 EDT 2018
Thanks for raising this.
We should implement a similar check that is for "aud" claim in OIDC and
require strict validation. The actual value of the audience URI would be
either realm URL or SAML endpoint URL within the realm. I've introduced a
more general https://issues.jboss.org/browse/KEYCLOAK-8010 that will
address this item.
--Hynek
On Thu, Aug 2, 2018 at 12:44 PM Dmitry Telegin <dt at acutus.pro> wrote:
> Hi,
>
> It's been SAML time recently in keycloak-dev, so I won't be breaking
> the trend... :)
>
> A customer tasked us with configuring Keycloak brokering to the 3rd
> party SAML IdP. The IdP doesn't allow for SP metadata import, so the
> values have to be configured manually, of which the two are mandatory,
> namely Assertion Consumer Service URL and Audience (Entity ID).
>
> While things are crystal clear with ACS URL, there was some
> misunderstanding with the Audience parameter. Assuming that it should
> be equal to the EntityID of Keycloak (acting as an SP in this case),
> we've put it there. After that, while reconfiguring for IdP-initiated
> SSO, we have changed the ACS (the /clients/{url-name} suffix is
> appended to it), but the question was what to do with Entity ID. By
> experiment, we have determined that actually any non-empty value
> worked.
>
> The situation is ambiguous, and we need to communicate it to the
> customer somehow. The line in the docs "put any non-empty value"
> smells fishy to me. I've found a technical explanation though; the
> Audience (Entity ID) value ends up in the AudienceRestriction tag of
> the SAML response. While Keycloak's SAML parser is aware of that tag,
> it isn't processed in any way (ignored, in other words).
>
> Here's what the SAML spec says on AudienceRestriction:
>
> > Although a SAML relying party that is outside the audiences
> > specified is capable of drawing conclusions from an assertion, the
> > SAML asserting party explicitly makes no representation as to
> > accuracy or trustworthiness to such a party...
> >
> > ...the <AudienceRestriction> element allows the SAML asserting
> > party to state explicitly that no warranty is provided to such a
> > party in a machine- and human-readable form. While there can be no
> > guarantee that a court would uphold such a warrantyexclusion in every
> > circumstance, the probability of upholding the warranty exclusion is
> > considerably improved...
>
> http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>
> Nothing is said in the spec about if the AudienceRestriction check is
> mandatory, so I'd suppose it is optional. Some SAML-enabled software
> however implements strict checking, WebLogic being a well-known case.
>
> So it doesn't look like a defect or a security vulnerability, and
> shouldn't pose any problems? Wanted to know the stance of the Keycloak
> dev team on this.
>
> Thanks in advance!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list