Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4425

Use SAML assertion signature algorithm to validate incoming assertions

    Details

      Description

      Currently, regardless of the chosen signature algorithm for a SAML client, Keycloak will accept assertions signed with another algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP).

      With many other IdPs, when a signature algorithm is chosen, there's a validation that the same algorithm is used in both directions. I think this is something that Keycloak should do too as a security measure. This could be configurable.

      Feature request opened as requested here: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009515.html

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                hmlnarik Hynek Mlnařík
                Reporter:
                glavoie Gabriel Lavoie
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: