[keycloak-user] SAML Assertion Signature Algorithm Validation
Gabriel Lavoie
glavoie at gmail.com
Fri Feb 10 11:07:55 EST 2017
Hi,
I'm currently testing different SAML signature algorithms with our
application and I noticed that regardless of the chosen signature algorithm
for a SAML client, Keycloak will accept assertions signed with another
algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP).
With many other IdPs, when a signature algorithm is chosen, there's a
validation that the same algorithm is used in both directions. I think this
is something that Keycloak should do too as a security measure. Can this be
done right now or an enhancement request would be required?
Thanks,
--
Gabriel Lavoie
glavoie at gmail.com
More information about the keycloak-user
mailing list