[keycloak-user] Issue with SAML AuthnRequest
Luis Rodríguez Fernández
uo67113 at gmail.com
Fri Feb 8 08:25:52 EST 2019
Hello Max,
mmm, I would need to get my hands dirty again with this. This reminds me
that I had an issue with the logout verification signature, see here [1].
Disable the signature for the auth request would be acceptable for your
system? Our security team it is OK with this, or maybe they never realized
;)
Cheers,
Luis
[1]
http://lists.jboss.org/pipermail/keycloak-user/2018-September/015420.html
El vie., 8 feb. 2019 a las 9:34, <max at mascanc.net> escribió:
> Hi,
>
> On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodríguez Fernández wrote:
> > May I ask you what is the client implementation? For my dev environment,
> > using the tomcat saml adapter in the SP side and Keycloak
> > 4.8.2.Final-SNAPSHOT in the IdP one is working:
>
> It is strange: going in remote debug with eclipse (running in local in my
> MacOS),
> I have been able to obtain a succesful redirect, and I did not see any
> trivial
> points on how the assertion signature could be damaged.
>
> I'll investigate for encoding issues on the Linux machine.
>
> In the code, the only point in which the assertion is marshalled to DOM is
> through
> a call to parse() on the inputstream.
>
> The DOM builder factory is assigned to the threadlocal: why? Can it be
> a threading issue, knowing the no thread safety of the dom implementation?
>
>
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
More information about the keycloak-user
mailing list