[keycloak-user] Encrypted SAML response

Pedro Igor Silva psilva at redhat.com
Wed Jun 22 08:25:38 EDT 2016


It is using AES:128 to encrypt the message and RSA for secure communication.

Are you using signatures as well ? If so, can you tell me if you are signing only the assertion, the whole response or both ?

Also, are you sure that both public and private keys are correlated ?

----- Original Message -----
From: "Pål Oliver Kristiansen" <paal.oliver at gmail.com>
To: keycloak-user at lists.jboss.org
Sent: Wednesday, June 22, 2016 4:47:32 AM
Subject: [keycloak-user] Encrypted SAML response

Hi! 

We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP. 
Everything works well out of the box, but when we activate encryption of assertions, we get an error on the 
BigIP side. 

So in order to investigate the situation, I'm trying to understand the process of SAML assertion response encryption. 
And I am a bit confused when reading the Keycloak documentation and comparing that to what I see in the Keycloak admin console. 
Here is what I mean; in the documentation ( https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html ), activating 
assertion response encryption is described like this: 

"Encrypt Assertions 
Encrypt assertions in SAML documents with the realm's private key. The AES algorithm is used with a key size of 128 bits." 

But in the admin console (under clients) it is described like this in the tooltip: 

"Encrypt Assertions 
Should SAML assertions be encrypted with client's public key using AES?" 

So basically, which key is used for encrypting the assertion response? 

I have inspected the actual HTTP post and it looks something like this: 

<samlp:Response> 
... 
<saml:EncryptedAssertion> 
<xenc:EncryptedData xmlns:xenc=" http://www.w3.org/2001/04/xmlenc# " Type=" http://www.w3.org/2001/04/xmlenc#Element "> 
<xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#aes128-cbc "/> 
<ds:KeyInfo xmlns:ds=" http://www.w3.org/2000/09/xmldsig# "> 
<xenc:EncryptedKey> 
<xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#rsa-1_5 "/> 
<xenc:CipherData> 
<xenc:CipherValue>---[block of cipher text]---</xenc:CipherValue> 
</xenc:CipherData> 
</xenc:EncryptedKey> 
</ds:KeyInfo> 
<xenc:CipherData> 
<xenc:CipherValue>---[block of cipher text]---</xenc:CipherValue> 
</xenc:CipherData> 
</xenc:EncryptedData> 
</saml:EncryptedAssertion> 
</samlp:Response> 

So it at least looks like the key to decrypt the encrypted response is included. It is encrypted using RSA, but with which key? 
My understanding was something like this: 

1. The encryption of a SAML assertion response is done using AES-128, with some key. 
2. The key is added alongside the encrypted assertion response and encrypted using the SP's public key. 
3. The SP receives the encrypted assertion response and the encrypted key, decrypts the key using its' private key and uses 
this decrypted key to decrypt the actual assertion response. 

Is this generally correct? 

The error we get from BigIP is this: "failed to process encrypted assertion, error: RSA decrypt" 
Which leads me to think that maybe the decryption of the included key did not work out. 
Any ideas or tips to how to approach this? 

Thanks! 

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list