[keycloak-user] Issue with SAML AuthnRequest
max at mascanc.net
max at mascanc.net
Wed Feb 6 09:30:41 EST 2019
Hi,
On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodríguez Fernández wrote:
> May I ask you what is the client implementation? For my dev environment,
Thanks for the answer! :-) It is a client built with OpenSAML.
The signature created by it, according to Oxygen12, is valid
(by validing the Base64 encoded SAML Authn Request obtained from WireShark).
>
> If your client uses keycloak, at least in the java adapter you can define
> the signatureCanonicalizationMethod, but usually the default one (
> http://www.w3.org/2001/10/xml-exc-c14n#) is OK. Check in your client if you
> can customize this.
> > <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference
> > URI="#46faa8d7-fd71-4c00-8bad-921a5bd9e5c8"><ds:Transforms><ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256
We do use this C14n algorithm already ...
Uhmm... can it be that the received SOAP is passed through a DocumentBUilderFactory using Jaxb (thus adding
fake namespaces) or Transforms with some level on indentation that breaks the signature,
in the version 4.8.3?
Thanks!
More information about the keycloak-user
mailing list