[keycloak-user] SAML signing AuthnRequest results in invalid_signature (SigAlg was null)
Pierre Dupont
pierredupontdal at gmail.com
Fri May 25 06:03:00 EDT 2018
Hi everyone,
I'm using Keycloak 4.0.0.Beta2, and I'm trying to sign AuthnRequests from a
Service Provider (Ruby Omniauth) to Keycloak.
On Keycloak, I have set the "Client Signature Required" to On.
I have set Ominauth parameters with the following values :
"security" => {
"authn_requests_signed" => true,
"embed_sign" => true,
"digest_method" => "XMLSecurity::Document::SHA1",
"signature_method" => "XMLSecurity::Document::RSA_SHA1",
}
I also have copied-pasted the SAML keys from Keycloak to the SP.
When initiating a SAML request at the SP, I am redirected to an error page
with "Invalid requester" on Keycloak.
In the logs, I got the following :
08:49:19,057 ERROR [org.keycloak.protocol.saml.SamlService] (default
task-64) request validation failed: org.keycloak.common.VerificationException:
SigAlg was null
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(
SamlProtocolUtils.java:135)
at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
verifySignature(SamlService.java:518)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.
handleSamlRequest(SamlService.java:233)
...
08:49:19,058 WARN [org.keycloak.events] (default task-64)
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=10.42.128.4, error=invalid_signature
It seems that Keycloak can't read the Signature Algorithm value. I checked
the SAML data, and the SignatureMethod is set :
<ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />
I checked my parameters, certificates (tried to use new ones), but I always
get this error.
What am I doing wrong ? Does anyone managed to sign their AuthnRequests or
encountered the same errors ? I haven't found anything similar on the
internet.
Thanks in advance,
Regards,
Pierre Dupont
More information about the keycloak-user
mailing list