[GitHub] [cloudstack] ngrosc commented on issue #4519: SAML signature is optional

[GitBox]

ngrosc commented on issue #4519:
URL: https://github.com/apache/cloudstack/issues/4519#issuecomment-738984435


   hi guys
   
   sorry for the late answer.
   
   we're using https, not http. so that should not be the the main issue. 
   
   as IDP, we're using keycloack with the following config:
   
   `
   {
       "clientId": "iaas.cloudstack",
       "baseUrl": "https://**********/client";,
       "surrogateAuthRequired": false,
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
       "redirectUris": [
           "https://**********/client/api?command=samlSso";,
           "https://**********/client/api?command=samlSlo";,
       ],
       "webOrigins": [],
       "notBefore": 0,
       "bearerOnly": false,
       "consentRequired": false,
       "standardFlowEnabled": true,
       "implicitFlowEnabled": false,
       "directAccessGrantsEnabled": false,
       "serviceAccountsEnabled": false,
       "publicClient": false,
       "frontchannelLogout": true,
       "protocol": "saml",
       "attributes": {
           "saml.assertion.signature": "false",
           "saml_assertion_consumer_url_redirect": 
"https://**********/client/api?command=samlSso";,
           "saml.force.post.binding": "true",
           "saml.multivalued.roles": "false",
           "saml_single_logout_service_url_post": 
"https://**********/client/api?command=samlSlo";,
           "saml.encrypt": "false",
           "saml_assertion_consumer_url_post": 
"https://**********/client/api?command=samlSso";,
           "saml.server.signature": "true",
           "saml.server.signature.keyinfo.ext": "false",
           "exclude.session.state.from.auth.response": "false",
           "saml.signing.certificate": "**********",
           "saml_single_logout_service_url_redirect": 
"https://**********/client/api?command=samlSlo";,
           "saml.signature.algorithm": "RSA_SHA256",
           "saml_force_name_id_format": "false",
           "saml.client.signature": "false",
           "tls.client.certificate.bound.access.tokens": "false",
           "saml.authnstatement": "true",
           "display.on.consent.screen": "false",
           "saml.signing.private.key": "**********",
           "saml_name_id_format": "username",
           "saml.onetimeuse.condition": "false",
           "saml_signature_canonicalization_method": 
"http://www.w3.org/2001/10/xml-exc-c14n#";
       },
       "authenticationFlowBindingOverrides": {},
       "fullScopeAllowed": true,
       "nodeReRegistrationTimeout": -1,
       "protocolMappers": [
           {
               "name": "username-2-userid",
               "protocol": "saml",
               "protocolMapper": "saml-user-property-mapper",
               "consentRequired": false,
               "config": {
                   "attribute.nameformat": "Basic",
                   "user.attribute": "username",
                   "attribute.name": "uid"
               }
           }
       ],
       "defaultClientScopes": [
           "web-origins",
           "role_list",
           "profile",
           "roles",
           "email"
       ],
       "optionalClientScopes": [
           "address",
           "phone",
           "offline_access"
       ],
       "access": {
           "view": true,
           "configure": true,
           "manage": true
       }
   }
   `
   
   regarding to PaulAngus' answer:
   yes, we have saml.client.signature and saml.encrypt set to false in 
keycloack. so that might be the issue for all of this. I'll try to change that 
in an emergency maintenance window an post an update.
   
   thanks for your help!


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org