kiranchavala opened a new issue, #12831: URL: https://github.com/apache/cloudstack/issues/12831
### problem Saml authentication is not working when encryption is enabled in IDP( Keycloak) ### versions ACS 4.22 ### The steps to reproduce the bug 1. Configure Cloudstack for Saml authentication via Keycloak Saml setting in cloudstack ``` saml2.enabled=true saml2.default.idpid = http://app.example.com saml2.check.signature= true saml2.idp.metadata.url = http://192.168.55.150:8080/realms/kiranchavala/protocol/saml/descriptor saml2.redirect.url= http://10.0.32.234:8080/client saml2.sp.slo.url= http://10.0.32.234:8080/client saml2.sp.sso.url= http://10.0.32.234:8080/client/api?command=samlSso ``` 2. On keycloak side, enable encryption and Client signature required after importing the Cloudstack saml certificate xml file <img width="1428" height="929" alt="Image" src="https://github.com/user-attachments/assets/acec6de6-06a3-4be1-9ed3-92992b7cc130"; /> 3. On cloudstack login with SAML user 4. Exception occured ``` Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.) ``` ... When encryption is enabled the saml response is ``` <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Element"; > <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; /> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; /> <xenc:CipherData> <xenc:CipherValue>EHu+v85wSU+PpS3Dgpc9n2I9zE5BQ7G99aMXu39GS4NweASCuxn/O9XIOEc6Jzq4xj+oH39qFwBtz9qXQeL5X6saRAWy1d382QdENe+wdm+P4dX9cZ4pgUH98y/V+2beAttz0R+awnFd3sQb0tt5cuA1oSgfRlEHVZAQa6REC5F8MRV1uSXaJ6maOwgD7NjS8jXpDif2c1WRa2HZx91jNR0TwKoxZ2DD1NQeWahQ/FmFCLEvmAroEhVUbOZiyWdmQdPAboFXQbFFnPjN6ppftioH0tBL8yyg2pC61p95cvVJibcMsjdGk1vnUPJav0JW3zw7iCfslwwTT94IhRNo9YHDJu+Z0jzqRSp7qUdpk01EPmGytwrP40h6eOxDWPNQfnaQvFa41/SYsx1mk/3Rd2N/v8QpySQWXZRJpgg7Jh2dJtQ1gDK4+uYo7IT5W69DYAbkz7cSqs81OJ4G/riqEl5of4+8JIT/6wcsx6Ue9q9YTYMMT4mjIFg3bKXb9PpWo22lnTajifZA7rNsEM/V7XLSG72WaEmJIVZrhGT/2n8kAp3zv9kWuwub+zjtOZ7UfmQ+HBOGt7CgWHqcZN8vx7znmGoCXq8Z5zBAlGH5Z1K80qWuZOkgoISPC3+JI5ksSyMQq7J9a27Fsl4rnKzbkXvlWB7dt+McBwu0rkXQZYU=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>e3cYzOaLCG0oszw3Ytf2PHBQJQ9g0iRtqesQ9o8L1E7U+ET5bLEkqsV7DKjprKVgDCRfSAoZ0vz7++U0zrqqlvYZvzpJ0j9EBYzYbCEQFfHQ4XJsyXvPu7LU2+IV+Pw46xdvsqcjxrhcUMn88AwaivhF/+m8gZXZxXNNgkKZWQJQim9QTApUBLxewhsp0tSDuxMEHRfe3ktY0KqJ8xmu/1IhatKiE2p2sgx/AS8v3SkCcytneaC6Q8+pq4xqUsj7FCxHSIz7rFj37hCH8oyriOKP1DdPNB/NWTz6jrGl+Qywus3PP2eynOOttb1mql7nL+iItPSNIg2krWjmStH5cH8U0WkVBHh7g62Pujtbp5wjo2/klRRt0D7eQFPDPJM7Ev9lqTABLUHSYHOU8RnBZr4azb6QKMf0Z8F9tHTxs6ae8s+hOFO52AyADCgeKIsXsvEAM89vWM1pOk4FGwoq+ZJoykHs83BDAtA47bqtmRNZe4BjSf7fT3GxAnHQtzCbEktqlFcLHy+uF1MFm8DrDEwujOCLT3k3PccJSZbr4Dm6g4hEyurCRft/y1ghI706+thbALAJXxL/sY0g0xUuRyP8AgpuwzOiYixr0zJmvYM ``` Saml response when Encryption is disabled ``` <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_2bb41ff0-24b8-479d-a9e4-1fe6b705ccbd" IssueInstant="2026-03-16T08:47:50.893Z" Version="2.0" > <saml:Issuer>http://192.168.55.150:8080/realms/kiranchavala</saml:Issuer> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> <dsig:SignedInfo> ``` If the encryption is disabled on the keycloak side then the login is successful. Related issues and discussion https://github.com/apache/cloudstack/discussions/12788 https://github.com/apache/cloudstack/issues/4519 https://kiranchavala.in/blog/cloudstack-integration-with-keycloak/ ### What to do about it? CloudStack should support (Keycloak) IDP encryption, Currently Cloudstack is not able to decrypt the payload from Keycloak in the saml response Ideally, this should be the authentication flow CloudStack → sends AuthnRequest ↓ Keycloak authenticates user ↓ Keycloak encrypts assertion using CloudStack SP certificate ↓ Browser sends SAMLResponse ↓ CloudStack decrypts using private key from keystore table Cloudstack stores the certficate and keypair in the database ``` mysql> select * from keystore \G; *************************** 1. row *************************** id: 1 name: SAMLSP_KEYPAIR certificate: MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDYSltAFOyjxp9FVaoG+pChKHtOpxCEDqMvKw4sy5cFpbBEO8CjZf17qSE9dBQx9Tjw8ULHOzOhSLTYzP7CVhoDFN6F589npZwjmCxO9+PjYrBrPceNkuJD0isJwa3q3WTJ6XLDkhhQEIP50tm3n9zO/dbAAzT4ffGwv08lK0XeaNgOEbN2jhW2Hg2aPyuFnyQMMR/7k/IuqNmCrfdSNPY/kxSUO3gjO1vRwRahQNebT4ZHpMXURP6FjOBE0NY37dxAyjXpqXCbArXLSvt4AbSagu8OOlLvNvhcgpfJfXSa/5pu/KTiW7EjK2Njz02yvigX6PfhnHxJsHTl4eHt9XOm2GxInh5uErm9cPhhHx8ApzUAAUhvB+d2eybwvvTYv8M/BpAyHG5F+22fA3BMp6Zt9qpCVu1bF3HIGR93n8cSajY8J7JjNjxsz48zQyuQlDvjhsI8uAdrp/EOiSMpJD6/II6+UIr+rhKSiAB4GvIOcbBnIBtuLEn4XjzzGSkZ64lucrj+1hk/wOKb48i210gMratFlEeLJBNb4AHZr5wNX5oeydCbBxynbwdY8RssujqVjq8j3iDpt0rAaawsgzP3GINB1LMrSfz31YqOzVIP7jvUm9AEtEuIIQvQ/jo6ES2id8EAcGnGmbx1Wm8OXPmcSPy2039pr3R/33ejiSI+XwIDAQABAoICAFw6yNJ4mbf0uHHuZ4R2UDoIcxxE7SwCud8hMvgzEIEd+B4AhNKoaQDUTBJSb1ImSVOk7V7bhdaelE9mirP/1zO9MG5VPQHrgrtC5pH97rVFngj83R0np0hYVHXimvDt206mN4PhxnBNuplLKf+9MYEqiOpz86CKxAckbPFilHaUqpzFO4uwZt2zzwUZLsvZ4ps4T3UNz1XKNoYc/LuXTfIqG7ph6YbMhwjYl3fHmKjn rlDamGk9ynLUccWmb9KFoUgXcgnjcNsIutCndrfjskm4z4t3n2nWPO3l2ifXUWPO3uG45e6IPu7KT6V9/pnbsGkRtLIF8pHRpudn/NllsxyHYPHiJT6mRqwmkKo38BzLV/SBToexO0EfiFIbXTF1B2CpO9+VkcxFSuPzQ4sLmeIon8j7OzQ79qq4rwmeNRNW3wY1BlQXLn34gm70NiREiyDqCOw00wlQp80rM7PyNYErsYIQKru9KwYn/f1Fk628Tzs8bGUdg2GFq4mKOMfxjyHJWTj8vdAhPKqP5DXdu4unjeHMZgVWZmFGMkeZxWdZRwoDAhf8wvzfEqRDqIJH4ftpnBWkq5dd0YkgZpZWGbflr3pSOT5RooD6cGXrKzFnFapS7oVcrBFQIXtD/k3jB35Ui/iHcAtb6UBjTqMA8cX8keO5VRYmO48Jf7Dg4o+RAoIBAQD5nnBp+yl7x5TnoR7CHRKeGg/V0EPe4GabqkSpjBhjLXpokxhoR+6t8JTA7L2jezjwU/uRpEG++c519yTn/978xjxd4MBLcEB2HGBjGKdgm4WlQSk1XoJJ4vKu1Vyj25v6sktCqWr35yPUILkx/Sy51Oo704viuSr8UbHmQNrhrLnmQDTz9jL89nQxLGVvd4Je563tBOsSxBLSaZo36jp1NZ5S+lY1oOwdPaTshaf8TTC1nyVLmQN1Fzlx48g1zXkRyoG1Jnflpnmsl/BXIGc6Ypa42H5I2zHaiwQuLti5Vcb84F3nbtQkEGY389aGAgK2Ko74DgY+USpi+mV+6dUVAoIBAQDd0c8Dy+foaFM/9SSRWQV5Ia6DkNsw6lAi0msCmZHJmx7hHLJcGr7Jze83by7NTpsIHVtH6bTJ+kSmT5nGGU05WPEAuN/bgzCgmpEm2zqYhqYg4NHeTwJJbwdcUgU+G1MQlYyYxAaopEjEzSNnp/6cT94Id97421wFQn0JoH/fo/1Cs7lubqJwTETldngLjiHQC qW4qrpWDYi7VllWHwsxDaXy2efUxa3HmMFjt9pMMBbJILXGpJcB1MfJ0WF0zvV8JaHlcHHZeaCA1uoO7Sa/sUn5F0qEamawckuZYN4K08JhOapTsoj3rDP0cw/6GY7/xv7X76lvQO3aTf0o6cqjAoIBAQDQ7eJdcpHoPsbNkTgzdS4OEvZKGkWUmPKJPFy4JMCM0pXwTZ5SOlL2V7XKPN0Fpq+jyEd6Qaed92zto+zKGopDvJDuap3JBq2Nrnamuw3teH7GMOIS/4XB3ikOWRtvMvM9RFpl83PLBzYf6TvZMXVsHV/or0oYfLAT/TUP6hzKY04+AGPSBrHqtUXPmr9UKw197iDPkBxJ2r9+SlGAl5ZSYIyiG1JpFMZMOzp9leli7iDlA82tlucj7EpynxsGnXLGh19Fhms4Vrzkz0+lPUPpxHcvRFV/GaiCqXTYSvGvPrKNGia+/S6m+Or1ziwygiBO5RRBX0uugTUfH0Iwlft5AoIBAEarBAfSm3R4YCVdJSRFNzArIdz6dkp0K8mcPclbQY34JHNVYCFlx+ik+hQwELoJ0+xW5fDYLOe4GszdSUFKaEbf5g/z1iWp+wD/nUTCzT0wkJai6Vmo1DKu86pe2xq5O9Jpwpwcv35UsHY6YJAyfjQwYa1S+y9PO1bVot5BStvl89afSXE8P/YE5mIwRvhvdKhB7CAUDD9EGo6MaPO9+iPLlFX1RB2OSNnw+ZOaTCq/m1LCYAcEArPrpSbP1PuQv7aoipZ9J1hAnnjNf034EcM6aTW5TN04xLRsBVe8+6B5bFDrPS9jDq3RJ9A2JB3qrJsiO6hxywoNpnlJJWE2cn8CggEBAOO1+vApN1RW9UiMbwTowWeawPLFn4GJ3Q90/XC4l+N105Mn7181l+2zbBGEIvVvpCZw7N9vo4WfBgeFyhe9kslj9phovIM9wU8s1bOlvTD4Hnj+IE9BjlbDUpyssuVrabTXrd4jZByy8tQzkZY7kl EOiYU9ZVdUNUaFFy1uF5udp/6sXAWrzYIIr9Yk1p5F2LZjLv5OseMgKnCClmW+TCyQRGlz7nqYUPSpBSu5U8d/WAH2gAi3LsVEXpeRr04GiXZR/SkjMZmWF7BvetyI1zvTCWBNktgvkuExaBNFZ70aqE8NXJ5h73pqYPukYJS7dzhTD4kyPP9yto2y1IKw/xw= key: LDVi9cD0IqeaOD9FfSpyXPIx8wQarz9qUWk3nmvJZWfbAhLNzFWG4S/mDGC3aB4xyk/yaedMLdUF8n3suiElGDkHh8CsPd4TZX4AdWjRHIJHrJaBpy4ysrwNP0OPM6w1Ytmq+N0kmyLryII2AIK/JjMvRpjRb6/PAD4+yjvjtlpFD4v+mkBwMcjr40X1SZ9nGdXxGGHJnPPGLajk+obx4l98iROuyQG2m+seI3OF4TrthAAn6ioxQVdj61ocz71EGBJDWPA25DD8d4VVLLJjB+Wml/oorG0sVeW110Okh+zGMeynrTC7SMrDNUapbYo1aRl7Nf4dLlu+LA9yS55g6SS7R57pXB+MujgBM0yjH1361QsUj5XH0leePuFGY3I6k+zUE0gqpMmuj7KHYexGVkr476O32Dq1IEzUrxFcVxZtSJOeD3DhsmC6s8UrpoyjkiOPdNI8Tll19C7PHPPc/CmWiL/TzkzQdijuiQAwvb4wRPkJewkX6NjIHwmN9P0kV0NfHX4BLVtrt2LXmqvbk/8YI2LCkodYci9exOEV40kr4f1CnMxtZJulsjdgS4FWOnPXIjGXV+O0RHmzo6elg9LXUHFg+bCyyx1qGfb7LBjp7QMVo0UlfogzqfW4yuhVALPlwtpzb/IKp4YGFroCQA0WmnXg5hhO03JkNe652lE0gdVulNKygvi7VjqMve8ZfyqJKacj65tYzDXeLvhYIUIRyif7nZN6Aw7VWKmw6iG0PLAX5rmxxTDyR3S6fICTjT0DSf3ubZXZ6bc6E674yNifEfy9cNWD8EXgWToR78STOEx/NwB2hsICntWwWKOqvzKYM3Fngu1gC/MOqig+C8zDXIb4cTDmhAThsPsRPPtobKfBxy7HY5E261Xl7TKiLUJdix9tjEt6y/UBPBRJN8w6uEt16H1Kpkwkp4mMiX2jnkrE0fqnRb6o6AUBkK+YlknZPLLPr8ZBxpQLAYIM yz9hMPSFjknU9w2Q+YfpV7XgHGDsuRmm1UOPO/w= domain_suffix: samlsp-keypair seq: NULL *************************** 2. row *************************** id: 2 name: SAMLSP_X509CERT certificate: rO0ABXNyAC1qYXZhLnNlY3VyaXR5LmNlcnQuQ2VydGlmaWNhdGUkQ2VydGlmaWNhdGVSZXCJJ2qdya48DAIAAlsABGRhdGF0AAJbQkwABHR5cGV0ABJMamF2YS9sYW5nL1N0cmluZzt4cHVyAAJbQqzzF/gGCFTgAgAAeHAAAAS2MIIEsjCCApoCCQC4hyliJCmoazANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBBcGFjaGVDbG91ZFN0YWNrMB4XDTI2MDMxNTA2NTM0OVoXDTI5MDMxNjA2NTM0OVowGzEZMBcGA1UEAwwQQXBhY2hlQ2xvdWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANhKW0AU7KPGn0VVqgb6kKEoe06nEIQOoy8rDizLlwWlsEQ7wKNl/XupIT10FDH1OPDxQsc7M6FItNjM/sJWGgMU3oXnz2elnCOYLE734+NisGs9x42S4kPSKwnBrerdZMnpcsOSGFAQg/nS2bef3M791sADNPh98bC/TyUrRd5o2A4Rs3aOFbYeDZo/K4WfJAwxH/uT8i6o2YKt91I09j+TFJQ7eCM7W9HBFqFA15tPhkekxdRE/oWM4ETQ1jft3EDKNempcJsCtctK+3gBtJqC7w46Uu82+FyCl8l9dJr/mm78pOJbsSMrY2PPTbK+KBfo9+GcfEmwdOXh4e31c6bYbEieHm4Sub1w+GEfHwCnNQABSG8H53Z7JvC+9Ni/wz8GkDIcbkX7bZ8DcEynpm32qkJW7VsXccgZH3efxxJqNjwnsmM2PGzPjzNDK5CUO+OGwjy4B2un8Q6JIykkPr8gjr5Qiv6uEpKIAHga8g5xsGcgG24sSfhePPMZKRnriW5yuP7WGT/A4pvjyLbXSAytq0WUR4skE1vgAdmvnA1fmh7J0JsHHKdvB1jxGyy6OpWOryPeIOm3SsBprCyDM/cY g0HUsytJ/PfVio7NUg/uO9Sb0AS0S4ghC9D+OjoRLaJ3wQBwacaZvHVabw5c+ZxI/LbTf2mvdH/fd6OJIj5fAgMBAAEwDQYJKoZIhvcNAQELBQADggIBACXFqmBqy3i+Mcew/fDznODq9c6X7RP0drpkUyHQmE8fi4GwQTA61ueJuUg+6zXnXKq2WEuiq4EIJwKzpVIpoxfrFhi9t7ASWq2g1skaeKuR3DA53f4zPTW52zcwMQ5QErdBUZBaJfD57bkeQXWzUZVC6dqa7qG17vgiSCtIMirdPJ0BrwPyCkmsECSJgqZcQOUm554uRsHujyYhYKZ0rOs+elnb36mTNEsS44Fpgs3NlvdaonMiDR0XTqq6QKLNpi/h2bjSatYDp72TrYyqcgcLearflhP9RXGocFtkYpj38JJdAJiPtN073aa+LwSsOQ10vw2+kh2MAPQJ9H202V7YPDK5QxGosJDBG7zy5Ck54+z/GcdBFGDxxt/pull1/iMjZImVV1Ix652et4vE73EPHOWtGXmHwRSWtaHQCoWegOBLsImRCBMdxxJAs256sITUm1whCp7Mru9GXy9P7SVnb1w6d7wYKQHpwT8tjqbMUpOILhHdOR3+zkNSnNWqpKFusFhiagxG6MY4iK7oqjLINQUlozd0P/rmvYMtmcAlfy+SIzfSH8JYvwxjXElCKrSuz0KOAiYZTdfeG5pMaQQKAvT51fhC3k2hwoThaOYSKF+PSfyIbe20kuGA4VzP/4lYKI5yaTFN9qaTHQ4/zfkaMDiCvPDtkZLY9VWjz1ONdAAFWC41MDk= key: domain_suffix: samlsp-x509cert seq: NULL 2 rows in set (0.00 sec) ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
