Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create SAML client with keycloak admin api wrong value for signing #28390

Open
1 of 2 tasks
devmanspi opened this issue Apr 3, 2024 · 3 comments
Open
1 of 2 tasks

Create SAML client with keycloak admin api wrong value for signing #28390

devmanspi opened this issue Apr 3, 2024 · 3 comments
Labels
area/admin/api area/saml Indicates an issue on SAML area kind/bug Categorizes a PR related to a bug priority/low team/core-clients
Milestone
Backlog

Comments

@devmanspi
Copy link

devmanspi commented Apr 3, 2024
edited

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

admin/api

Describe the bug

I am using the keycloak admin api in my own java application to administrate keycloak from there.
Now i want to create a SAMl client from there.

In my SP metadata signing is set to false (e.g. AuthnRequestsSigned="false") and I'm not providing any certificate.

When I create a SAML client with this metadata in the keycloak admin api, the resulting client doesn't have the right value for 'Client signature required' (it's always true). Everything else seems to be converted correctly from the metadata and the client is created successfully.

If I use the import client function in the keycloak admin console (web) I can see the switch for 'Client signature required' is turning on or off based on the metadata I'm providing and the client is created with the rigth value for this.

Version

24.0.2

Regression

  • The issue is a regression

Expected behavior

The SAML client I'm creating with the admin api in my java app should have 'Client signature required' based on the SP metadata.

Actual behavior

The SAML client always has 'Client signature required' set to true.

How to Reproduce?

  1. Create a client with the admin api using metadata that has signing set to false.
Keycloak keycloak = Keycloak.getInstance(...);
RealmResource realm = keycloak.realm(realmName);
String metadata;
...
ClientRepresentation cliRep = realm.convertClientDescription(metadata);
Response kcResp = realm.clients().create(cliRep);

  1. Check the client and see that 'Client signature required' is set to true.

  2. Create a client with the admin console (web) using the same metadata as before. This client has 'Client signature required' set based on the metadata.

Anything else?

Example SP metadata with signing=false

<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-04-04T13:52:37Z" cacheDuration="PT604800S" entityID="http://example.saml.client" ID="ONELOGIN_0d4ce3be-d87a-4fee-938c-e5958d2cc6bc"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://mySPHost:1234/mySamlClient/sls.jsp"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://mySPHost:1234/mySamlClient/acs.jsp" index="1"/></md:SPSSODescriptor><md:Organization><md:OrganizationName xml:lang="en">SP Java</md:OrganizationName><md:OrganizationDisplayName xml:lang="en">SP Java Example</md:OrganizationDisplayName><md:OrganizationURL xml:lang="en">http://sp.example.com</md:OrganizationURL></md:Organization><md:ContactPerson contactType="technical"><md:GivenName>Technical Guy</md:GivenName><md:EmailAddress>technical@example.com</md:EmailAddress></md:ContactPerson><md:ContactPerson contactType="support"><md:GivenName>Support Guy</md:GivenName><md:EmailAddress>support@example.com</md:EmailAddress></md:ContactPerson></md:EntityDescriptor>

Example SP metadata with signing=true

<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-04-04T14:18:40Z" cacheDuration="PT604800S" entityID="http://example.saml.client" ID="ONELOGIN_296e840e-8a5a-40e0-9e80-267e63552cca"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
...
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://mySPHost:1234/mySamlClient/sls.jsp"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://mySPHost:1234/mySamlClient/acs.jsp" index="1"/></md:SPSSODescriptor><md:Organization><md:OrganizationName xml:lang="en">SP Java</md:OrganizationName><md:OrganizationDisplayName xml:lang="en">SP Java Example</md:OrganizationDisplayName><md:OrganizationURL xml:lang="en">http://sp.example.com</md:OrganizationURL></md:Organization><md:ContactPerson contactType="technical"><md:GivenName>Technical Guy</md:GivenName><md:EmailAddress>technical@example.com</md:EmailAddress></md:ContactPerson><md:ContactPerson contactType="support"><md:GivenName>Support Guy</md:GivenName><md:EmailAddress>support@example.com</md:EmailAddress></md:ContactPerson></md:EntityDescriptor>
@devmanspi devmanspi added kind/bug Categorizes a PR related to a bug status/triage labels Apr 3, 2024
@keycloak-github-bot
Copy link

Thanks for reporting this issue, but as this is reported against an older and unsupported release we are not able to evaluate the issue. Please verify with the nightly buildor the latest release.

If the issue can be reproduced in the nightly build or latest release add a comment with additional information, otherwise this issue will be automatically closed within 14 days.

@devmanspi
Copy link
Author

Thanks for reporting this issue, but as this is reported against an older and unsupported release we are not able to evaluate the issue. Please verify with the nightly buildor the latest release.

If the issue can be reproduced in the nightly build or latest release add a comment with additional information, otherwise this issue will be automatically closed within 14 days.

I updated to v24.0.2, still same behaviour.

@stianst stianst added area/saml Indicates an issue on SAML area and removed team/core-shared labels Apr 8, 2024
@rmartinc
Copy link
Contributor

Hi @devmanspi!

This is a real issue but I think that it's low priority. The main reason is the converter is just adding SAML_CLIENT_SIGNATURE_ATTRIBUTE to true when the signing certificate is there (here). There is a setupClientDefaults that enables some default values because of security (one of them is client signatures to true). So if it is not specified then it will be true. Probably the converter needs to set it to true/false depending the AuthnRequestsSigned in the metadata. Nevertheless using SAML without signatures is a big security risk and totally not recommended for any production environment. If someone wants to fix this a test will be needed, for example in ClientDescriptionConverterTest.

@rmartinc rmartinc added this to the Backlog milestone Apr 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/admin/api area/saml Indicates an issue on SAML area kind/bug Categorizes a PR related to a bug priority/low team/core-clients
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@jonkoops @stianst @rmartinc @devmanspi