[keycloak-user] SAML signing AuthnRequest results in invalid_signature (SigAlg was null)

Luis Rodríguez Fernández uo67113 at gmail.com
Mon May 28 10:45:42 EDT 2018 

Hello Pierre,

mmm, for a production use I would go for
https://www.keycloak.org/archive/downloads-3.4.3.html.

Hope it helps,

Luis









2018-05-28 16:26 GMT+02:00 Pierre Dupont <pierredupontdal at gmail.com>:

> Hello Luis,
>
> I checked the XML file, the requestBinding is POST, but that was a good
> hint :
> Keycloak is waiting for a SigAlg parameter as an HTTP parameter. I had a
> parameter (embed_sign) in my SP config which was embedding these parameters
> in the AuthnRequest instead of passing them as HTTP parameters.
>
> However, I got another error, which is an NullPointerException.
> I think it is the same as this one : https://issues.jboss.org/
> browse/KEYCLOAK-7032
> It seems the only solution is to use an older version of Keycloak, unless
> you have a better solution.
>
> In any case, thank you for your help and your time.
>
> Best regards,
> Pierre
>
>
>
> On Mon, May 28, 2018 at 12:17 PM, Luis Rodríguez Fernández <
> uo67113 at gmail.com> wrote:
>
>> Hello Pierre,
>>
>> It looks correct to me, or at least very similar to mine:
>> https://gist.github.com/lurodrig/0c26b2000a725946b3ecc7994543d918
>>
>> I do think that the problem is that your IdP is expecting a GET for the
>> authnRequest and what your SP is doing is a POST. What is the value of your
>> IDP.SingleSignOnService.requestBinding in your keycloak.xml? Me I have
>> something like this:
>>
>>  <IDP entityID="idp"
>>              signatureAlgorithm="RSA_SHA256"
>>              signatureCanonicalizationMethod="http://www.w3.org/2001/10/
>> xml-exc-c14n#">
>>             <SingleSignOnService signRequest="true"
>>                                  validateResponseSignature="true"
>>                                  validateAssertionSignature="false"
>>                                  requestBinding="POST"
>>
>> Hope it helps,
>>
>> Luis
>>
>>
>>
>>
>>
>> 2018-05-28 10:32 GMT+02:00 Pierre Dupont <pierredupontdal at gmail.com>:
>>
>>> Hi Luis,
>>>
>>> Thank you for your answer. I tried your suggestion, following the
>>> provided
>>> example.
>>> My SAML request has changed, but I still get the same error, i.e SigAlg
>>> was
>>> null.
>>> My guess is that Keycloak doesn't manage to read the value in the SAML
>>> request.
>>>
>>> Here is my SAML request (retrieved with SAML Tracer on Firefox) :
>>> <samlp:AuthnRequest AssertionConsumerServiceURL="..." Destination="..."
>>> ID=
>>> "_5c3e604e-7dad-443e-9b10-5cbe2d685081" IssueInstant="2018-05-28T07:26
>>> :17Z"
>>> Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>>> xmlns:samlp
>>> ="urn:oasis:names:tc:SAML:2.0:protocol" >
>>> <saml:Issuer>...</saml:Issuer>
>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <ds:SignedInfo>
>>> <ds:CanonicalizationMethod Algorithm="
>>> http://www.w3.org/2001/10/xml-exc-c14n#" />
>>> <ds:SignatureMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#rsa-sha1"
>>> />
>>> <ds:Reference URI="#_5c3e604e-7dad-443e-9b10-5cbe2d685081">
>>> <ds:Transforms>
>>> <ds:Transform Algorithm="
>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>> <ec:InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi md"
>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>> </ds:Transform>
>>> </ds:Transforms>
>>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>> <ds:DigestValue>...</ds:DigestValue>
>>> </ds:Reference>
>>> </ds:SignedInfo>
>>> <ds:SignatureValue>...</ds:SignatureValue>
>>> <ds:KeyInfo>
>>> <ds:X509Data>
>>> <ds:X509Certificate>...</ds:X509Certificate>
>>> </ds:X509Data>
>>> </ds:KeyInfo>
>>> </ds:Signature>
>>> <samlp:NameIDPolicy AllowCreate="true" Format=
>>> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
>>> </samlp:AuthnRequest>
>>>
>>> As expected, I have the correct values for SignatureMethod and
>>> DigestMethod. I'm short of ideas.
>>>
>>> Thanks in advance,
>>>
>>> Pierre
>>>
>>> Date: Fri, 25 May 2018 14:39:03 +0200
>>> From: Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
>>> Subject: Re: [keycloak-user] SAML signing AuthnRequest results in
>>>         invalid_signature (SigAlg was null)
>>> To: keycloak-user at lists.jboss.org
>>> Message-ID:
>>>         <CACp70MkD1nWyy600hw-y-ZX8gKqv5RB-gpU_UFE7VAW0_nL2VA at mail.gm
>>> ail.com>
>>> Content-Type: text/plain; charset="UTF-8"
>>>
>>> Hello Pierre,
>>>
>>> mmm, If I am not wrong, usually for signature methods SAML uses the URI
>>> identifier [1]. E.g. my IdP (ADFS) likes "
>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1". You can have look at this
>>> example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac
>>> 3025a
>>>
>>> Hope it helps,
>>>
>>> Luis
>>>
>>> [1] https://www.w3.org/TR/xmlsec-algorithms/
>>> [2]
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>>
>> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>>
>> - Samuel Beckett
>>
>
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

More information about the keycloak-user mailing list