[keycloak-user] Issue with SAML AuthnRequest

Luis Rodríguez Fernández uo67113 at gmail.com
Fri Feb 8 08:25:52 EST 2019

Hello Max,

mmm, I would need to get my hands dirty again with this. This reminds me
that I had an issue with the logout verification signature, see here [1].

Disable the signature for the auth request would be acceptable for your
system? Our security team it is OK with this, or maybe they never realized




El vie., 8 feb. 2019 a las 9:34, <max at mascanc.net> escribió:

> Hi,
> On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodríguez Fernández wrote:
> > May I ask you what is the client implementation? For my dev environment,
> > using the tomcat saml adapter in the SP side and Keycloak
> > 4.8.2.Final-SNAPSHOT in the IdP one is working:
> It is strange: going in remote debug with eclipse (running in local in my
> MacOS),
> I have been able to obtain a succesful redirect, and I did not see any
> trivial
> points on how the assertion signature could be damaged.
> I'll investigate for encoding issues on the Linux machine.
> In the code, the only point in which the assertion is marshalled to DOM is
> through
> a call to parse() on the inputstream.
> The DOM builder factory is assigned to the threadlocal: why? Can it be
> a threading issue, knowing the no thread safety of the dom implementation?


"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

More information about the keycloak-user mailing list