Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4775

Export of Encryption Key for SPSSODescriptor or IDPSSODescriptor missing

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 3.0.0.Final
    • 3.3.0.CR1
    • SAML
    • None
    • Hide

      Constellation
      Keycloak as IdP for sales-post-enc SP ( both on the same wildfly/keycloak instance) with OpenAM as brokered idP :

      • I deployed sales-post-enc with mvn clean package wildfly:deploy option,
      • I entered the admin console and inside the saml-demo realm, I imported the OpenAm IDPSSODescriptor
      • On the tab Export (from Menu Identity Providers) I took the SPSSODescriptor - Section under the Download Button and imported keycloak as remote SP on the OpenAm - Login Site.

      Also there is no KeyDescriptor for enrycption in the SPSSODescriptor for Clients when Enrypt Assertions is enabled and there are EncrptionKey and SigningKey available ! (see idp_sso.png picture)

      Show
      Constellation Keycloak as IdP for sales-post-enc SP ( both on the same wildfly/keycloak instance) with OpenAM as brokered idP : I deployed sales-post-enc with mvn clean package wildfly:deploy option, I entered the admin console and inside the saml-demo realm, I imported the OpenAm IDPSSODescriptor On the tab Export (from Menu Identity Providers) I took the SPSSODescriptor - Section under the Download Button and imported keycloak as remote SP on the OpenAm - Login Site. Also there is no KeyDescriptor for enrycption in the SPSSODescriptor for Clients when Enrypt Assertions is enabled and there are EncrptionKey and SigningKey available ! (see idp_sso.png picture)
    • NEW
    • ASSIGNED

    Description

      It is not possible to export Metadatadescriptors for Identity Broker with
      <KeyDescriptor use="encryption"> though is only <KeyDescriptor use="signing"> available.
      There is also no option to select or mark keys as for signing or encryption...
      As a consequence external IdP's (e.g. OpenAM) are failing to encrypt SAML-Responses when encryption is needed and activated.

      The step of Decryption of SAML Responses ( after this issue might be resolved) at Keycloak SP Level is even not tested. Maybe here must be also something to do.

      Attachments

        1. idp_sso.PNG
          93 kB
          Metehan Selvi
        2. spsso_export_for_idp_import.PNG
          121 kB
          Metehan Selvi

        Activity

          People

            hmlnarik@redhat.com Hynek Mlnařík
            mselvi Metehan Selvi (Inactive)
            Mark True Mark True (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: