[keycloak-user] Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?

Edgar Vonk - Info.nl Edgar at info.nl
Mon Jan 28 06:10:53 EST 2019 

hi all,

We are trying to set up Keycloak to act as a federated identity provider between our (OAuth2-enabled) application and the external SAML 2.0-enabled NetIQ Acces Manager identity provider using: https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers

The basic setup including authentication works fine. However logging out does not. When attempting to logout from our application Keycloak sends a SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this request because, from what we understand from NetIQ, this request is not signed.

It seems that Keycloak does not support sending signed LogoutRequests from SAML Identity Providers? Is this indeed the case and how could we go about solving this? Maybe create a custom IdentityProvider or possibly send a SAML LogoutRequest to NetIQ from our application directly?

Example of SAML LogoutRequest send by Keycloak:

<samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo"
    ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d" IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/auth/realms/our-realm</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID>
    <samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex>
</samlp:LogoutRequest>


I am no expert on SAML at all but this is from the SAML 2.0 specs (https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf):

4.4.4.1 <LogoutRequest> Usage:
  "The requester MUST authenticate itself to the responder and ensure message integrity, either by signing the message or using a binding-specific mechanism.”

Should Keycloak not support signing SAML LogoutRequests?

cheers

Edgar

More information about the keycloak-user mailing list