[keycloak-user] Keycloak as an Identity Broker Encrypting SAML Assertions
Hynek Mlnarik
hmlnarik at redhat.com
Fri Sep 15 09:06:54 EDT 2017
This issue [1] should be fixed in 3.3.0.
[1] https://issues.jboss.org/browse/KEYCLOAK-4775
On Tue, Sep 12, 2017 at 10:34 PM, Jason Spittel <jasonspittel at yahoo.com> wrote:
> Hello,
> I'm trying to integrate with InCommon federation, using Keycloak as an Identity Broker.
> Workflow is JEE app <--> Keycloak Broker <--> InCommon IdP.
> The problem is that InCommon requires SAML Assertion Encrypting. As far as I can see, in the Keycloak IdP setup, I can only set the signing for document.
> Looking at this SPSSODescriptor from Keycloak:
> <EntityDescriptor entityID="ENTITY_ID_FOR_IDP"><SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
> <KeyDescriptor use="signing"> <dsig:KeyInfo> <dsig:KeyName>ASDFASDFASDF</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate>qwerqwerqwer</dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo></KeyDescriptor>
> ........
> </SPSSODescriptor>
> </EntityDescriptor>
>
> The KeyDescriptor is not for 'signing' and not for 'encrypting'. How do I set that flag?
> Thanks,
> Jason
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
--Hynek
More information about the keycloak-user
mailing list