GitHub user chunkyen edited a discussion: Saml with Keycloak, signing and encryption confusion
Hi, I have configured my Cloudstack 4.22 to integrate with Keycloak 26.5.5 via Saml. I have read [#4519](https://github.com/apache/cloudstack/issues/4519) and it seems to imply that Cloudstack supports both signing and encryption for the payload for Saml. However, to get my Keycloak to work, I need to turn off encryption of the assertions. Else, I will get "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name." which I think is because Cloudstack is not able to decrypt the payload from Keycloak. I am using the Key that is provided from the getSPMetadata for both the signing and encryption in Keycloak. For the signing, there is a Global configuration named "saml2.check.signature". However, even with this turned on, I can still sign in using Saml when "Client signature required" setting is turned OFF in Keycloak. So I am not sure if the Cloudstack "saml2.check.signature" settings is actually enforcing signature checking requirement. Edit, there are 2 settings in Keycloak for signature Sign Documents and Sign assertions, Sign Documents also include Sign assertions. So with Sign Documents disabled and saml2.check.signature enabled, I am not able to sign in **which is the correct behaviour** (see error screen below). Sign assertions will have no impact to Saml when integrating with cloudstack <img width="689" height="167" alt="image" src="https://github.com/user-attachments/assets/4adb3fbe-bb16-43d4-b925-d35c5fae4bd5"; /> GitHub link: https://github.com/apache/cloudstack/discussions/12788 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
