Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2306

RH-SSO SAML Metadata Import Failing With Unknown tag:DigestMethod

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • RH-SSO-7.6.0
    • Protocol - SAML
    • None
    • False
    • None
    • False
    • Workaround Exists
    • Hide

      Removing below entries from attached metadata file, resolves the issue

      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
</EncryptionMethod>
<EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
</EncryptionMethod>
      Show
      Removing below entries from attached metadata file, resolves the issue <EncryptionMethod Algorithm= "http: //www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" > <DigestMethod xmlns= "http: //www.w3.org/2000/09/xmldsig#" xmlns:xsd= "http://www.w3.org/2001/XMLSchema" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" Algorithm= "http://www.w3.org/2001/04/xmlenc#sha256" /> </EncryptionMethod> <EncryptionMethod Algorithm= "http: //www.w3.org/2009/xmlenc11#rsa-oaep" > <DigestMethod xmlns= "http: //www.w3.org/2000/09/xmldsig#" xmlns:xsd= "http://www.w3.org/2001/XMLSchema" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" Algorithm= "http://www.w3.org/2001/04/xmlenc#sha256" /> </EncryptionMethod>

      Originally reported in SSOSUP-381

      Issue description

      When importing an External IDP metadata file entitydescriptortoredhatsso.xml, import is failing with below error:

      16:13:55,485 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-14) Uncaught server error: java.lang.RuntimeException: PL00062: Parser : Unknown tag:DigestMethod::location=[row,col
{unknown-source}

]: [52,1]
at org.keycloak.saml.common.DefaultPicketLinkLogger.parserUnknownTag(DefaultPicketLinkLogger.java:359)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLEncryptionMethodParser.processSubElement(SAMLEncryptionMethodParser.java:67)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLEncryptionMethodParser.processSubElement(SAMLEncryptionMethodParser.java:17)
at org.keycloak.saml.common.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLKeyDescriptorParser.processSubElement(SAMLKeyDescriptorParser.java:49)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLKeyDescriptorParser.processSubElement(SAMLKeyDescriptorParser.java:16)
at org.keycloak.saml.common.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLRoleDecriptorTypeParser.processSubElement(SAMLRoleDecriptorTypeParser.java:30)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLSSODescriptorTypeParser.processSubElement(SAMLSSODescriptorTypeParser.java:40)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLIDPSSODescriptorParser.processSubElement(SAMLIDPSSODescriptorParser.java:70)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLIDPSSODescriptorParser.processSubElement(SAMLIDPSSODescriptorParser.java:16)
at org.keycloak.saml.common.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLEntityDescriptorParser.processSubElement(SAMLEntityDescriptorParser.java:77)
at org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLEntityDescriptorParser.processSubElement(SAMLEntityDescriptorParser.java:40)
at org.keycloak.saml.common.parsers.AbstractStaxParser.parse(AbstractStaxParser.java:97)
at org.keycloak.saml.processing.core.parsers.saml.SAMLParser.parse(SAMLParser.java:123)
at org.keycloak.saml.common.parsers.AbstractParser.parse(AbstractParser.java:93)
at org.keycloak.broker.saml.SAMLIdentityProviderFactory.parseConfig(SAMLIdentityProviderFactory.java:76)

      Analysis

      I am looking at the SAML 2.0 metadata specification http://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf and also at the XSD http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd and finally at the http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd . The 3rd file is the only one, which mentions "DigestMethod" element, but you can see that it is commented. So it seems it is not supported by SAML 2.0 specification (maybe it was considered to be supported in some early draft, but looks it was removed/commented).

      But on the other hand, I see that XSD http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd contains:

      <complexType name="EncryptionMethodType" mixed="true">
<sequence>
<element name="KeySize" minOccurs="0" type="xenc:KeySizeType"/>
<element name="OAEPparams" minOccurs="0" type="base64Binary"/>
<any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>

      The XSD allows "any" element, so it seems that RHSSO should not throw an error, but allow unknown elements even if it does not understand them.

      So we may not need to support "DigestMethod" element, but we should not throw an error as XSD allows to contain "any" element. In other words, we can just ignore this element (if present), but not throw the error.

              Unassigned Unassigned
              mposolda@redhat.com Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: