[keycloak-user] Keycloak as a SAML SP: Is it possible to configure Keycloak to use RSA-SHA256 as the algorithm to sign assertions.

Akshay Kini kga.official at gmail.com
Fri Feb 12 06:43:10 EST 2016 

Hi Bill,

Thanks for looking into this.

The usecase is:

Keycloak is an SP and it is sending an AuthnRequest via HTTP Post. This
AuthnRequest is always using RSA-SHA1 for signing.

I have configured the Keycloak config file as follows:
<keycloak-saml-adapter>
    <SP entityID="exampleEntityID"
        sslPolicy="NONE"
        logoutPage="/logout.jsp"

nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
        forceAuthentication="false"
        signatureAlgorithm="RSA_SHA256">


In-fact the SP element doesn't have the "signatureAlgorithm" documented
anywhere in the SAML Client Apapter Reference Guide (it only exists for the
IDP).

Now this is a bit of unfamiliar territory for me, but I looked into the
Keycloak Code base (master):
I see that the org.keycloak.adapters.saml.config.parsers.SPXmlParser
doesn't deal with ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while the
IDPXmlParser does.


Again, thanks for looking into this.

P.S. Sorry to all the mailing list subscribers, this "chain" might get
broken despite me changing the subject. I am not sure how to fix that when
using Gmail and subscribing to a digest mailing-list. Please send a direct
e-mail to me if you know how to fix that.

Thanks,
Regards,
Akshay


On Thu, Feb 11, 2016 at 7:36 PM, <keycloak-user-request at lists.jboss.org>
wrote:

> Send keycloak-user mailing list submissions to
>         keycloak-user at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
>         keycloak-user-request at lists.jboss.org
>
> You can reach the person managing the list at
>         keycloak-user-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
>    1. Re: User-Federation (Renann Prado)
>    2. Re: User-Federation (Renann Prado)
>    3. Re: Keycloak as a SAML SP: Is it possible to configure
>       Keycloak to use RSA-SHA256 as the algorithm to sign assertions.
>       (Bill Burke)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Feb 2016 11:16:29 -0200
> From: Renann Prado <prado.renann at gmail.com>
> Subject: Re: [keycloak-user] User-Federation
> To: Reed Lewis <RLewis at carbonite.com>
> Cc: keycloak-user at lists.jboss.org
> Message-ID:
>         <CAEBys6KM1-n6wFqTJAAqb_aYaQdZwuiaUz2AspF5d-8Za=
> E9wQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Is there any recommended way to make sure these endpoints won't be spammed
> by an attacker? Looks like these endpoints need to be open to anyone.
>
> Thanks
> On Feb 3, 2016 11:18, "Reed Lewis" <RLewis at carbonite.com> wrote:
>
> > If you use the federation provider listed here:
> >
> > [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
> > [1]: https://github.com/Smartling/keycloak-user-migration-provider
> >
> > You can specify a URL that will be called when a user needs to be
> > validated.
> >
> > There are three requests that need to be implemented in your sever.
> >
> > GET <baseURL>/api/users/<username>/
> > If the user exists, it should return a 200 with a json object with the
> > return type ?application/json? with the following fields:
> > username
> > email
> > emailVerified
> > firstName
> > lastName
> > roles [?user?]
> >
> > If the user does not exist, return a 404
> >
> > HEAD <baseURL>/api/users/<username>/
> > Always return 200
> >
> > POST <baseURL>/api/users/<username>/
> > The password is posted to you in a json object.
> > Return 200 if the password is OK, 401 if not.  In both cases return no
> > data.
> >
> > I wrote a small python module which implements these methods which works
> > quite well.
> >
> > Reed
> >
> > From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stuart
> Jacobs <
> > stuart.jacobs at symbiotics.co.za>
> > Date: Wednesday, February 3, 2016 at 2:40 AM
> > To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> > Subject: [keycloak-user] User-Federation
> >
> > Hi Everyone,
> >
> > I have an application that runs on a postgresql database, keycloak has
> > been configured and has created all the required tables/columns in my
> > schema using liquibase on start up of the keycloak server.
> >
> > I need to authenticate users using the projects existing user table
> > obtaining the username and password from this table.
> >
> > I have had a look at the federation provider project under the example
> > projects but this still eludes me as to how I change the keycloak mapping
> > to use my own tables in postgress?
> >
> > Can someone please point me in the right direction or if someone has
> > implemented such a solution please share how you have done it?
> >
> > Thanks everyone.
> >
> >   Regards,
> >   Stuart Jacobs
> >
> >
> >
> >
> >
> >
> >
> > www.symbiotics.co.za
> >
> >
> ********************************************************************************
> > This email and any accompanying attachments may contain confidential and
> > proprietary information. This information is private and protected by law
> > and, accordingly, if you are not the intended recipient, you are
> requested
> > to delete this entire communication immediately and are notified that any
> > disclosure, copying or distribution of or taking any action based on this
> > information is prohibited.
> >
> > Emails cannot be guaranteed to be secure or free of errors or viruses.
> The
> > sender does not accept any liability or responsibility for any
> > interception, corruption, destruction, loss, late arrival or
> incompleteness
> > of or tampering or interference with any of the information contained in
> > this email or for its incorrect delivery or non-delivery for whatsoever
> > reason or for its effect on any electronic device of the recipient.
> >
> >
> ********************************************************************************
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Thu, 11 Feb 2016 11:17:14 -0200
> From: Renann Prado <prado.renann at gmail.com>
> Subject: Re: [keycloak-user] User-Federation
> To: Reed Lewis <RLewis at carbonite.com>
> Cc: keycloak-user at lists.jboss.org
> Message-ID:
>         <CAEBys6+i6jFdycaCg-rf9vC=
> T7chbrkKeWsfAbNvC2tidKdhZw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Everyone*
> On Feb 11, 2016 11:16, "Renann Prado" <prado.renann at gmail.com> wrote:
>
> > Is there any recommended way to make sure these endpoints won't be
> spammed
> > by an attacker? Looks like these endpoints need to be open to anyone.
> >
> > Thanks
> > On Feb 3, 2016 11:18, "Reed Lewis" <RLewis at carbonite.com> wrote:
> >
> >> If you use the federation provider listed here:
> >>
> >> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
> >> [1]: https://github.com/Smartling/keycloak-user-migration-provider
> >>
> >> You can specify a URL that will be called when a user needs to be
> >> validated.
> >>
> >> There are three requests that need to be implemented in your sever.
> >>
> >> GET <baseURL>/api/users/<username>/
> >> If the user exists, it should return a 200 with a json object with the
> >> return type ?application/json? with the following fields:
> >> username
> >> email
> >> emailVerified
> >> firstName
> >> lastName
> >> roles [?user?]
> >>
> >> If the user does not exist, return a 404
> >>
> >> HEAD <baseURL>/api/users/<username>/
> >> Always return 200
> >>
> >> POST <baseURL>/api/users/<username>/
> >> The password is posted to you in a json object.
> >> Return 200 if the password is OK, 401 if not.  In both cases return no
> >> data.
> >>
> >> I wrote a small python module which implements these methods which works
> >> quite well.
> >>
> >> Reed
> >>
> >> From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stuart
> Jacobs
> >> <stuart.jacobs at symbiotics.co.za>
> >> Date: Wednesday, February 3, 2016 at 2:40 AM
> >> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> >> Subject: [keycloak-user] User-Federation
> >>
> >> Hi Everyone,
> >>
> >> I have an application that runs on a postgresql database, keycloak has
> >> been configured and has created all the required tables/columns in my
> >> schema using liquibase on start up of the keycloak server.
> >>
> >> I need to authenticate users using the projects existing user table
> >> obtaining the username and password from this table.
> >>
> >> I have had a look at the federation provider project under the example
> >> projects but this still eludes me as to how I change the keycloak
> mapping
> >> to use my own tables in postgress?
> >>
> >> Can someone please point me in the right direction or if someone has
> >> implemented such a solution please share how you have done it?
> >>
> >> Thanks everyone.
> >>
> >>   Regards,
> >>   Stuart Jacobs
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> www.symbiotics.co.za
> >>
> >>
> ********************************************************************************
> >> This email and any accompanying attachments may contain confidential and
> >> proprietary information. This information is private and protected by
> law
> >> and, accordingly, if you are not the intended recipient, you are
> requested
> >> to delete this entire communication immediately and are notified that
> any
> >> disclosure, copying or distribution of or taking any action based on
> this
> >> information is prohibited.
> >>
> >> Emails cannot be guaranteed to be secure or free of errors or viruses.
> >> The sender does not accept any liability or responsibility for any
> >> interception, corruption, destruction, loss, late arrival or
> incompleteness
> >> of or tampering or interference with any of the information contained in
> >> this email or for its incorrect delivery or non-delivery for whatsoever
> >> reason or for its effect on any electronic device of the recipient.
> >>
> >>
> ********************************************************************************
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 11 Feb 2016 09:06:49 -0500
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] Keycloak as a SAML SP: Is it possible to
>         configure Keycloak to use RSA-SHA256 as the algorithm to sign
>         assertions.
> To: keycloak-user at lists.jboss.org
> Message-ID: <56BC9579.8080102 at redhat.com>
> Content-Type: text/plain; charset="windows-1252"
>
> Where?  Keycloak Saml SP?  Keycloak Server interaction with an
> app/client?  Or Keycloak Server acting as an SP in a broker scenario?
>
> They all *should* support plugging in the algorithm.  Did you configure
> this correctly?
>
> On 2/11/2016 6:29 AM, Akshay Kini wrote:
> > Hi Folks,
> >
> > We are using Keycloak as a SAML SP.
> >
> > I notice that SAML Assertions are signed using rsa-sha1, could we
> > configure it to use RSA-SHA256?
> >
> > Thanks,
> > Regards,
> > Akshay
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 26, Issue 56
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/07f54d5a/attachment-0001.html

More information about the keycloak-user mailing list