[keycloak-user] FW: Keycloak fails to parse SAML Response
Teel, Dustin L.
Dustin.Teel at leidos.com
Thu Aug 23 14:10:02 EDT 2018
Hi all,
I am having trouble with Keycloak parsing a SAML Response. I am getting an error that ds namespace is not bound. If I write a sample class that uses DocumentBuilder, then it correctly parses the SAML. The SAML being parsed is:
<?xml version="1.0"?>
<samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://destination.com/" ID="FIMRSP_67b6e181-0165-1403-a33d-f046e5a10b84" IssueInstant="2018-08-23T16:56:03Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sample.com</saml:Issuer>
<ds:Signature Id="uuid67b6e182-0165-10ca-95d5-f046e5a10b84">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#FIMRSP_67b6e181-0165-1403-a33d-f046e5a10b84">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="samlp saml xs ds xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>digesthere</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>sighere</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>certhere</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:EncryptedAssertion>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="uuid67b6e13c-0165-1a93-99f5-f046e5a10b84" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo>
<EncryptedKey Id="uuid67b6e13d-0165-1ba6-9504-f046e5a10b84">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo>
<ds:KeyName>KeyNameHere</ds:KeyName>
</ds:KeyInfo>
<CipherData>
<CipherValue>cipherhere</CipherValue>
</CipherData>
</EncryptedKey>
</ds:KeyInfo>
<CipherData>
<CipherValue>cipherhere</CipherValue>
</CipherData>
</EncryptedData>
</saml:EncryptedAssertion>
</samlp:Response>
Any idea on why it would be complaining about the “ds” prefix and how to fix it without asking the identity provider sending this response to change the way their SAML is formed, as it is valid SAML according to every validator I have tried.
Thanks,
Dustin
More information about the keycloak-user
mailing list