[keycloak-user] SAML RSAKeyValue causing error
Dean Peterson
peterson.dean at gmail.com
Wed Sep 19 13:49:39 EDT 2018
I am having trouble using Keycloak as the external provider to our
Websphere Application. I received the following response from IBM support:
I discussed the issue with our SAML SSO SME. He found in SAML token,
besides X509Certificate, it also contains RSAKeyValue (<dsig:RSAKeyValue>).
This document states:
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_limitationsofsaml.html
.
RSAKeyValue is supported for the KeyInfo element in a Signature. However,
the X.509 certificate is not available when using RSAKeyValue. When the
X.509 certificate is not available to the runtime, the signer of the SAML
Assertion cannot be checked against a truststore. If you want to receive
SAML Assertions that use RSAKeyValue you cannot configure the runtime to
use a truststore.
.
Can you config the idP so that it only sends X509 certificate, not RSAKey?
Is it possible to remove the RSAKeyValue from the saml token and still send
just the certificate?
More information about the keycloak-user
mailing list