[keycloak-user] Keycloak as a SAML SP: Is it possible to configure Keycloak to use RSA-SHA256 as the algorithm to sign assertions.
Bill Burke
bburke at redhat.com
Fri Feb 12 18:13:49 EST 2016
So, you're not using keycloak-server, just our SAML client SP adapter?
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/adapter-config.html#d4e124
You can set the signature algorithm there. The IDP section is basically
describing what the IDP expects when you communicate to it.
On 2/12/2016 6:43 AM, Akshay Kini wrote:
> Hi Bill,
>
> Thanks for looking into this.
>
> The usecase is:
>
> Keycloak is an SP and it is sending an AuthnRequest via HTTP Post.
> This AuthnRequest is always using RSA-SHA1 for signing.
>
> I have configured the Keycloak config file as follows:
> <keycloak-saml-adapter>
> <SP entityID="exampleEntityID"
> sslPolicy="NONE"
> logoutPage="/logout.jsp"
> nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> forceAuthentication="false"
> signatureAlgorithm="RSA_SHA256">
>
>
> In-fact the SP element doesn't have the "signatureAlgorithm"
> documented anywhere in the SAML Client Apapter Reference Guide (it
> only exists for the IDP).
>
> Now this is a bit of unfamiliar territory for me, but I looked into
> the Keycloak Code base (master):
> I see that the org.keycloak.adapters.saml.config.parsers.SPXmlParser
> doesn't deal with ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while
> the IDPXmlParser does.
>
>
> Again, thanks for looking into this.
>
> P.S. Sorry to all the mailing list subscribers, this "chain" might get
> broken despite me changing the subject. I am not sure how to fix that
> when using Gmail and subscribing to a digest mailing-list. Please send
> a direct e-mail to me if you know how to fix that.
>
> Thanks,
> Regards,
> Akshay
>
>
> On Thu, Feb 11, 2016 at 7:36 PM,
> <keycloak-user-request at lists.jboss.org
> <mailto:keycloak-user-request at lists.jboss.org>> wrote:
>
> Send keycloak-user mailing list submissions to
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request at lists.jboss.org
> <mailto:keycloak-user-request at lists.jboss.org>
>
> You can reach the person managing the list at
> keycloak-user-owner at lists.jboss.org
> <mailto:keycloak-user-owner at lists.jboss.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Re: User-Federation (Renann Prado)
> 2. Re: User-Federation (Renann Prado)
> 3. Re: Keycloak as a SAML SP: Is it possible to configure
> Keycloak to use RSA-SHA256 as the algorithm to sign assertions.
> (Bill Burke)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 11 Feb 2016 11:16:29 -0200
> From: Renann Prado <prado.renann at gmail.com
> <mailto:prado.renann at gmail.com>>
> Subject: Re: [keycloak-user] User-Federation
> To: Reed Lewis <RLewis at carbonite.com <mailto:RLewis at carbonite.com>>
> Cc: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> Message-ID:
> <CAEBys6KM1-n6wFqTJAAqb_aYaQdZwuiaUz2AspF5d-8Za=E9wQ at mail.gmail.com <mailto:E9wQ at mail.gmail.com>>
> Content-Type: text/plain; charset="utf-8"
>
> Is there any recommended way to make sure these endpoints won't be
> spammed
> by an attacker? Looks like these endpoints need to be open to anyone.
>
> Thanks
> On Feb 3, 2016 11:18, "Reed Lewis" <RLewis at carbonite.com
> <mailto:RLewis at carbonite.com>> wrote:
>
> > If you use the federation provider listed here:
> >
> > [0]:
> http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
> > [1]: https://github.com/Smartling/keycloak-user-migration-provider
> >
> > You can specify a URL that will be called when a user needs to be
> > validated.
> >
> > There are three requests that need to be implemented in your sever.
> >
> > GET <baseURL>/api/users/<username>/
> > If the user exists, it should return a 200 with a json object
> with the
> > return type ?application/json? with the following fields:
> > username
> > email
> > emailVerified
> > firstName
> > lastName
> > roles [?user?]
> >
> > If the user does not exist, return a 404
> >
> > HEAD <baseURL>/api/users/<username>/
> > Always return 200
> >
> > POST <baseURL>/api/users/<username>/
> > The password is posted to you in a json object.
> > Return 200 if the password is OK, 401 if not. In both cases
> return no
> > data.
> >
> > I wrote a small python module which implements these methods
> which works
> > quite well.
> >
> > Reed
> >
> > From: <keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of
> Stuart Jacobs <
> > stuart.jacobs at symbiotics.co.za
> <mailto:stuart.jacobs at symbiotics.co.za>>
> > Date: Wednesday, February 3, 2016 at 2:40 AM
> > To: "keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>"
> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> > Subject: [keycloak-user] User-Federation
> >
> > Hi Everyone,
> >
> > I have an application that runs on a postgresql database,
> keycloak has
> > been configured and has created all the required tables/columns
> in my
> > schema using liquibase on start up of the keycloak server.
> >
> > I need to authenticate users using the projects existing user table
> > obtaining the username and password from this table.
> >
> > I have had a look at the federation provider project under the
> example
> > projects but this still eludes me as to how I change the
> keycloak mapping
> > to use my own tables in postgress?
> >
> > Can someone please point me in the right direction or if someone has
> > implemented such a solution please share how you have done it?
> >
> > Thanks everyone.
> >
> > Regards,
> > Stuart Jacobs
> >
> >
> >
> >
> >
> >
> >
> > www.symbiotics.co.za <http://www.symbiotics.co.za>
> >
> >
> ********************************************************************************
> > This email and any accompanying attachments may contain
> confidential and
> > proprietary information. This information is private and
> protected by law
> > and, accordingly, if you are not the intended recipient, you are
> requested
> > to delete this entire communication immediately and are notified
> that any
> > disclosure, copying or distribution of or taking any action
> based on this
> > information is prohibited.
> >
> > Emails cannot be guaranteed to be secure or free of errors or
> viruses. The
> > sender does not accept any liability or responsibility for any
> > interception, corruption, destruction, loss, late arrival or
> incompleteness
> > of or tampering or interference with any of the information
> contained in
> > this email or for its incorrect delivery or non-delivery for
> whatsoever
> > reason or for its effect on any electronic device of the recipient.
> >
> >
> ********************************************************************************
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Thu, 11 Feb 2016 11:17:14 -0200
> From: Renann Prado <prado.renann at gmail.com
> <mailto:prado.renann at gmail.com>>
> Subject: Re: [keycloak-user] User-Federation
> To: Reed Lewis <RLewis at carbonite.com <mailto:RLewis at carbonite.com>>
> Cc: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> Message-ID:
>
> <CAEBys6+i6jFdycaCg-rf9vC=T7chbrkKeWsfAbNvC2tidKdhZw at mail.gmail.com <mailto:T7chbrkKeWsfAbNvC2tidKdhZw at mail.gmail.com>>
> Content-Type: text/plain; charset="utf-8"
>
> Everyone*
> On Feb 11, 2016 11:16, "Renann Prado" <prado.renann at gmail.com
> <mailto:prado.renann at gmail.com>> wrote:
>
> > Is there any recommended way to make sure these endpoints won't
> be spammed
> > by an attacker? Looks like these endpoints need to be open to
> anyone.
> >
> > Thanks
> > On Feb 3, 2016 11:18, "Reed Lewis" <RLewis at carbonite.com
> <mailto:RLewis at carbonite.com>> wrote:
> >
> >> If you use the federation provider listed here:
> >>
> >> [0]:
> http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
> >> [1]: https://github.com/Smartling/keycloak-user-migration-provider
> >>
> >> You can specify a URL that will be called when a user needs to be
> >> validated.
> >>
> >> There are three requests that need to be implemented in your sever.
> >>
> >> GET <baseURL>/api/users/<username>/
> >> If the user exists, it should return a 200 with a json object
> with the
> >> return type ?application/json? with the following fields:
> >> username
> >> email
> >> emailVerified
> >> firstName
> >> lastName
> >> roles [?user?]
> >>
> >> If the user does not exist, return a 404
> >>
> >> HEAD <baseURL>/api/users/<username>/
> >> Always return 200
> >>
> >> POST <baseURL>/api/users/<username>/
> >> The password is posted to you in a json object.
> >> Return 200 if the password is OK, 401 if not. In both cases
> return no
> >> data.
> >>
> >> I wrote a small python module which implements these methods
> which works
> >> quite well.
> >>
> >> Reed
> >>
> >> From: <keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of
> Stuart Jacobs
> >> <stuart.jacobs at symbiotics.co.za
> <mailto:stuart.jacobs at symbiotics.co.za>>
> >> Date: Wednesday, February 3, 2016 at 2:40 AM
> >> To: "keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>"
> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> >> Subject: [keycloak-user] User-Federation
> >>
> >> Hi Everyone,
> >>
> >> I have an application that runs on a postgresql database,
> keycloak has
> >> been configured and has created all the required tables/columns
> in my
> >> schema using liquibase on start up of the keycloak server.
> >>
> >> I need to authenticate users using the projects existing user table
> >> obtaining the username and password from this table.
> >>
> >> I have had a look at the federation provider project under the
> example
> >> projects but this still eludes me as to how I change the
> keycloak mapping
> >> to use my own tables in postgress?
> >>
> >> Can someone please point me in the right direction or if
> someone has
> >> implemented such a solution please share how you have done it?
> >>
> >> Thanks everyone.
> >>
> >> Regards,
> >> Stuart Jacobs
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> www.symbiotics.co.za <http://www.symbiotics.co.za>
> >>
> >>
> ********************************************************************************
> >> This email and any accompanying attachments may contain
> confidential and
> >> proprietary information. This information is private and
> protected by law
> >> and, accordingly, if you are not the intended recipient, you
> are requested
> >> to delete this entire communication immediately and are
> notified that any
> >> disclosure, copying or distribution of or taking any action
> based on this
> >> information is prohibited.
> >>
> >> Emails cannot be guaranteed to be secure or free of errors or
> viruses.
> >> The sender does not accept any liability or responsibility for any
> >> interception, corruption, destruction, loss, late arrival or
> incompleteness
> >> of or tampering or interference with any of the information
> contained in
> >> this email or for its incorrect delivery or non-delivery for
> whatsoever
> >> reason or for its effect on any electronic device of the recipient.
> >>
> >>
> ********************************************************************************
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 11 Feb 2016 09:06:49 -0500
> From: Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>>
> Subject: Re: [keycloak-user] Keycloak as a SAML SP: Is it possible to
> configure Keycloak to use RSA-SHA256 as the algorithm to sign
> assertions.
> To: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> Message-ID: <56BC9579.8080102 at redhat.com
> <mailto:56BC9579.8080102 at redhat.com>>
> Content-Type: text/plain; charset="windows-1252"
>
> Where? Keycloak Saml SP? Keycloak Server interaction with an
> app/client? Or Keycloak Server acting as an SP in a broker scenario?
>
> They all *should* support plugging in the algorithm. Did you
> configure
> this correctly?
>
> On 2/11/2016 6:29 AM, Akshay Kini wrote:
> > Hi Folks,
> >
> > We are using Keycloak as a SAML SP.
> >
> > I notice that SAML Assertions are signed using rsa-sha1, could we
> > configure it to use RSA-SHA256?
> >
> > Thanks,
> > Regards,
> > Akshay
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 26, Issue 56
> *********************************************
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/0e8870a7/attachment-0001.html
More information about the keycloak-user
mailing list