[keycloak-user] SAML signing AuthnRequest results in invalid_signature (SigAlg was null)

Luis Rodríguez Fernández uo67113 at gmail.com
Fri May 25 08:39:03 EDT 2018


Hello Pierre,

mmm, If I am not wrong, usually for signature methods SAML uses the URI
identifier [1]. E.g. my IdP (ADFS) likes "
http://www.w3.org/2000/09/xmldsig#rsa-sha1". You can have look at this
example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a

Hope it helps,

Luis

[1] https://www.w3.org/TR/xmlsec-algorithms/
[2]

2018-05-25 12:03 GMT+02:00 Pierre Dupont <pierredupontdal at gmail.com>:

> Hi everyone,
>
> I'm using Keycloak 4.0.0.Beta2, and I'm trying to sign AuthnRequests from a
> Service Provider (Ruby Omniauth) to Keycloak.
>
> On Keycloak, I have set the "Client Signature Required" to On.
>
> I have set Ominauth parameters with the following values :
> "security" => {
>         "authn_requests_signed" => true,
>         "embed_sign" => true,
>         "digest_method" => "XMLSecurity::Document::SHA1",
>         "signature_method" => "XMLSecurity::Document::RSA_SHA1",
> }
>
> I also have copied-pasted the SAML keys from Keycloak to the SP.
>
> When initiating a SAML request at the SP, I am redirected to an error page
> with "Invalid requester" on Keycloak.
> In the logs, I got the following :
> 08:49:19,057 ERROR [org.keycloak.protocol.saml.SamlService] (default
> task-64) request validation failed: org.keycloak.common.
> VerificationException:
> SigAlg was null
>     at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyRedirectSignature(
> SamlProtocolUtils.java:135)
>     at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
> verifySignature(SamlService.java:518)
>     at org.keycloak.protocol.saml.SamlService$BindingProtocol.
> handleSamlRequest(SamlService.java:233)
>     ...
> 08:49:19,058 WARN  [org.keycloak.events] (default task-64)
> type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
> ipAddress=10.42.128.4, error=invalid_signature
>
> It seems that Keycloak can't read the Signature Algorithm value. I checked
> the SAML data, and the SignatureMethod is set :
> <ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />
>
> I checked my parameters, certificates (tried to use new ones), but I always
> get this error.
>
> What am I doing wrong ? Does anyone managed to sign their AuthnRequests or
> encountered the same errors ? I haven't found anything similar on the
> internet.
>
> Thanks in advance,
> Regards,
>
> Pierre Dupont
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett


More information about the keycloak-user mailing list