Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4377

Signature validation fails on brokered SAML 2.0 IDP if Assertion is encrypted.

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 1.9.8.Final, 2.5.3.Final
    • 3.2.0.CR1
    • SAML
    • None
    • This issue is security relevant
    • Hide

      Configure an IDP that returns an unsigned Response with a signed, encrypted Assertion.
      Check 'Validate Signature'.
      An error will be thrown that the signature is invalid (because the code doesn't find a Signature element).

      Show
      Configure an IDP that returns an unsigned Response with a signed, encrypted Assertion. Check 'Validate Signature'. An error will be thrown that the signature is invalid (because the code doesn't find a Signature element).
    • NEW
    • VERIFIED

    Description

      When the option 'Validate Signature' is set on a broker SAML 2.0 IDP, KeyCloak throws an exception if the signature is placed inside an encrypted assertion of the response.
      As this is a valid case of a signed SAML document, this error should not be thrown unless the signature is actually invalid.
      The current implementation doesn't verify the message for encrypted assertions before searching the document for a signature on the response or assertion level.

      Attachments

        Issue Links

          Activity

            People

              hmlnarik@redhat.com Hynek Mlnařík
              frederik.libert Frederik Libert (Inactive)
              Michal Hajas Michal Hajas
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: