RH-SSO SAML adapter support for using keys without a defined KeyName element in IdP SAML descriptor
Issue
-
After authentication on IdP (e.g MS ADFS), the SP application goes into error, with the EAP server logs showing:
2019-12-09 17:33:26,279 DEBUG [org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator] (default task-1) Invalid key id: null 2019-12-09 17:33:26,279 DEBUG [org.keycloak.saml.common] (default task-1) Verification failed for key null: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key 2019-12-09 17:33:26,279 TRACE [org.keycloak.saml.common] (default task-1) the keyselector did not find a validation key: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:539) at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:252) at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:519) at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:483) at org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil.isSignatureValid(AssertionUtil.java:292) at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleLoginResponse(AbstractSamlAuthenticationHandler.java:378) at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse(AbstractSamlAuthenticationHandler.java:222) at org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44) at org.keycloak.adapters.saml.SamlAuthenticator.authenticate(SamlAuthenticator.java:48) at org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.authenticate(AbstractSamlAuthMech.java:132) ... ... 2019-12-09 17:33:26,279 TRACE [org.keycloak.saml.common] (default task-1) Could not validate signature using ds:KeyInfo/ds:KeyName hint. 2019-12-09 17:33:26,279 TRACE [org.keycloak.saml.common] (default task-1) Trying hard to validate XML signature using all available keys. ... 2019-12-09 17:33:26,373 DEBUG [org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator] (default task-1) Certificates retrieved from server, filling public key cache 2019-12-09 17:33:26,373 TRACE [org.keycloak.adapters.saml.rotation.SamlDescriptorPublicKeyLocator] (default task-1) Ignoring certificate null: [ [ ... ] 2019-12-09 17:33:26,373 ERROR [org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler] (default task-1) Failed to verify saml assertion signature
-
Support for using keys without a defined
KeyName
Environment
- Red Hat Single Sign On (RH-SSO SAML Adapter)
- 7
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7
- External Identity Provider (IdP, e.g. MS ADFS)
- IdP Certificate with signing/encryption configured in the
keycloak-saml.xml
with use ofmetadataUrl
attribute pointing to the IdP federation metadata xml file
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.