Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Keycloak clients setting, SAML private key exposed

Tags:

saml

keycloak

saml-2.0

redhat-sso

I know in SAML protocol, IDP and SP they hold their own key pair, and will not expose their private key to each other.

I assume the realm key below is the IDP key pair, which make sense because private key is not exposed. enter image description here

But when I turn on "Client Signature Required" in the client settings, the SAML key is generated and the private key is exposed? It means the IDP know the private key that will be used in SP application. enter image description here

It doesn't make sense, there must be something I got it wrong. Can someone help clarify?

like image 852
Sam YC Avatar asked Apr 18 '18 02:04

Sam YC

People also ask

How do I create a SAML SP in Keycloak?

In the Name field type test_realm and click Create. In Keycloak SAML SPs are known as clients. To add the SP we must be in the Clients section of the realm. Click the Clients menu item on the left and click Create in the upper right corner to create a new client. Set the client protocol to SAML. From the Client Protocol drop down list, select saml.

How does Keycloak validate SAML signatures?

Canonicalization method for XML signatures. Encrypt assertions in SAML documents with the realm’s private key. The AES algorithm is used with a key size of 128 bits. Expect that documents coming from a client are signed. Keycloak will validate this signature using the client public key or cert set up in the SAML Keys tab.

How to localize the issuer value in Keycloak SAML?

This value must match the issuer value sent with AuthNRequests. Keycloak will pull the issuer from the Authn SAML request and match it to a client by this value. This is the display name for the client whenever it is displayed in a Keycloak UI screen. You can localize the value of this field by setting up a replacement string value i.e. $ {myapp}.

Which private key does Keycloak use for authentication?

In the case of JWT signed with a private key, Keycloak uses the realm private key. In the other cases, define a client secret. See the Client Authentication specifications for more information.

1 Answers

OK, I think I should know the answer.

My thought is correct, client SAML key is used to sign the SAML request, and realm key is used to sign the SAML response.

Client SAML private key should be kept in client's application side, the reason of why keycloak is keeping it, it is because keycloak provide "installation" function, it ease the user to download the adapter configuration.

If private key is not kept in keycloak then user has to input the key value themselves, it then may NOT be that convenient.

enter image description here

like image 119
Sam YC Avatar answered Oct 29 '22 13:10

Sam YC
Sign in to Comment

Related questions

how to configure both spring security basic authentication and SAML authentication using spring-sample example within same application
Verify Signature of SAML Response
Umbraco membership integration with SAML Web SSO
how to Configure openam as Identity provider(IdP) to test SAML based SSO
Create SAML 2.0 response with signed and encrypted Assertion using c#
Simplesamlphp wrong metadata
SAML Identity Provider based on Active Directory
Spring SAML extension for multiple IDP'S
Jenkins integration with Auth0
How can I restrict client access to only one group of users in keycloak?
Is it recommended to Sign and Encrypt SAML AND use SSL?
WIF 4.5 BootstrapContext security token null

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!