[keycloak-user] SAML Advice assertion with signature

Arjan Lamers a.lamers at first8.nl
Thu Jun 28 10:48:05 EDT 2018


Hi,

We are running KeyCloak 3.4.3-Final for a client  and are running into trouble with an identity provider (the dutch eHerkenning) that is using SAML Advice tags.

We were running an older version of KeyCloak and recently that identity provider started to use <saml:Advice> tags in their responses. We found https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the Advice tag and that made us upgrade to 3.4.3. However, this patch does not seem to be complete.

The patch there ignores the Advice tag when parsing the document. This is fine. However, in our case, the Advice contains two Assertions, both of which are signed (have a Signature tag). The document verification seems to also validate these signatures. This is a problem, since we do not have the keys for these advices, hence the validation fails. 

We have been advised to fully ignore the Advice tag, including the underlying signatures. I am not a SAML expert but that feels a bit wrong. Any thoughts on that?

However, if we do want to go down this road, we would probably patch this in
	 org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document signedDoc, final KeyLocator locator)
by skipping over nodes that have an ‘Advice’ parent. 

Would that be an appropriate approach? Would you be interested in such a patch?


Met vriendelijke groet,

Arjan Lamers
Software Architect
+31 (0)6 23 82 24 05



a.lamers at first8.nl
https://www.first8.nl <http://www.first8.nl/>
Linkedin https://www.linkedin.com/in/arjanl <https://www.linkedin.com/in/profiel-id>
Kerkenbos 1059b
6546 BB Nijmegen

Bekijk hier de algemene voorwaarden van Conclusion <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>




More information about the keycloak-user mailing list