[keycloak-user] Encrypted SAML response

Stian Thorgersen sthorger at redhat.com
Wed Jun 29 07:17:05 EDT 2016


I'm pretty sure this isn't possible at the moment, so please create a JIRA
feature request.

On 24 June 2016 at 08:50, Pål Oliver Kristiansen <paal.oliver at gmail.com>
wrote:

> We figured out what was happening with some help from F5 (BigIP)
> technicians.
> Keycloak uses RSA v1.5 for key transport algorithm but this is not
> supported in BigIP APM.
>
> It also seems like v1.5 is largely deprecated and BigIP requires RSA-OAEP
> for this.
>
> This seems to be set
> in XMLEncryptionUtil.getXMLEncryptionURLForKeyUnwrap(...)
> returning XMLCipher.RSA_v1dot5 if the public SP key was a RSA key.
>
> Is there any way to easily change from RSAv1.5 to RSA-OAEP?
>
> References:
>
> https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-12-0-0.html#A534555-1
>
> https://tools.ietf.org/html/rfc3560
>
> Thanks!
>
> ons. 22. jun. 2016 kl. 15.34 skrev Pål Oliver Kristiansen <
> paal.oliver at gmail.com>:
>
>> Thanks Bill!
>>
>> What we did was to crate the client in Keycloak by importing the SP
>> metadata file. So the "Encryption Key" and "Signing Key" have the values
>> from the SP's metadata file already.
>> From what I can gather, the values in this part of the client definition
>> in Keycloak, matches the values in the meta data file when looking at the
>> elements:
>>
>> <SPSSODescriptor>
>>   <KeyDescriptor use="encryption">
>>     <ds:KeyInfo>
>>       <ds:X509Data>
>>         <ds:X509Certificate>---[Key found in certificate]---
>> </ds:X509Certificate>
>>
>> Would this work or am I missing something?
>>
>> I can double check that the private key on the SP side actually is
>> correlated with the public one in the meta data file.
>>
>> ons. 22. jun. 2016 kl. 15.03 skrev Bill Burke <bburke at redhat.com>:
>>
>>> Once you've enabled encryption, you have to go to the 'SAML Keys' tab.
>>> There is an Encryption Key at the bottom of that screen.  You can have
>>> Keycloak generate the private key and cert for the SP, or you can import
>>> the SP's certificate that is stored in a PEM file, JKS, or PKCS12 file.
>>>
>>> On 6/22/16 3:47 AM, Pål Oliver Kristiansen wrote:
>>> > Hi!
>>> >
>>> > We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP.
>>> > Everything works well out of the box, but when we activate encryption
>>> of
>>> > assertions, we get an error on the
>>> > BigIP side.
>>> >
>>> > So in order to investigate the situation, I'm trying to understand the
>>> > process of SAML assertion response encryption.
>>> > And I am a bit confused when reading the Keycloak documentation and
>>> > comparing that to what I see in the Keycloak admin console.
>>> > Here is what I mean; in the documentation
>>> > (
>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html
>>> ),
>>> > activating
>>> > assertion response encryption is described like this:
>>> >
>>> > "Encrypt Assertions
>>> > Encrypt assertions in SAML documents with the realm's private key. The
>>> > AES algorithm is used with a key size of 128 bits."
>>> >
>>> > But in the admin console (under clients) it is described like this in
>>> > the tooltip:
>>> >
>>> > "Encrypt Assertions
>>> > Should SAML assertions be encrypted with client's public key using
>>> AES?"
>>> >
>>> > So basically, which key is used for encrypting the assertion response?
>>> >
>>> > I have inspected the actual HTTP post and it looks something like this:
>>> >
>>> > <samlp:Response>
>>> > ...
>>> >   <saml:EncryptedAssertion>
>>> >     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>> > Type="http://www.w3.org/2001/04/xmlenc#Element">
>>> >       <xenc:EncryptionMethod
>>> > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>>> >         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> >           <xenc:EncryptedKey>
>>> >             <xenc:EncryptionMethod
>>> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>>> >             <xenc:CipherData>
>>> >               <xenc:CipherValue>---[block of cipher
>>> > text]---</xenc:CipherValue>
>>> >             </xenc:CipherData>
>>> >           </xenc:EncryptedKey>
>>> >         </ds:KeyInfo>
>>> >       <xenc:CipherData>
>>> >         <xenc:CipherValue>---[block of cipher
>>> text]---</xenc:CipherValue>
>>> >       </xenc:CipherData>
>>> >     </xenc:EncryptedData>
>>> >   </saml:EncryptedAssertion>
>>> > </samlp:Response>
>>> >
>>> > So it at least looks like the key to decrypt the encrypted response is
>>> > included. It is encrypted using RSA, but with which key?
>>> > My understanding was something like this:
>>> >
>>> > 1. The encryption of a SAML assertion response is done using AES-128,
>>> > with some key.
>>> > 2. The key is added alongside the encrypted assertion response and
>>> > encrypted using the SP's public key.
>>> > 3. The SP receives the encrypted assertion response and the encrypted
>>> > key, decrypts the key using its' private key and uses
>>> > this decrypted key to decrypt the actual assertion response.
>>> >
>>> > Is this generally correct?
>>> >
>>> > The error we get from BigIP is this: "failed to process encrypted
>>> > assertion, error: RSA decrypt"
>>> > Which leads me to think that maybe the decryption of the included key
>>> > did not work out.
>>> > Any ideas or tips to how to approach this?
>>> >
>>> > Thanks!
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/bd388cd7/attachment-0001.html 


More information about the keycloak-user mailing list