[keycloak-user] Issue with SAML AuthnRequest

max at mascanc.net max at mascanc.net
Wed Feb 6 09:30:41 EST 2019


On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodríguez Fernández wrote:
> May I ask you what is the client implementation? For my dev environment,

Thanks for the answer! :-) It is a client built with OpenSAML. 
The signature created by it, according to Oxygen12, is valid
(by validing the Base64 encoded SAML Authn Request obtained from WireShark). 

> If your client uses keycloak, at least in the java adapter you can define
> the signatureCanonicalizationMethod, but usually the default one (
> http://www.w3.org/2001/10/xml-exc-c14n#) is OK. Check in your client if you
> can customize this.

> > <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference
> > URI="#46faa8d7-fd71-4c00-8bad-921a5bd9e5c8"><ds:Transforms><ds:Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256

We do use this C14n algorithm already ... 

Uhmm... can it be that the received SOAP is passed through a DocumentBUilderFactory using Jaxb (thus adding
fake namespaces) or Transforms with some level on indentation that breaks the signature, 
in the version 4.8.3?



More information about the keycloak-user mailing list