Alex Li Posted November 8 Posted November 8 I use KeyCloak as the IDP for UAG, and an error occurs when I try to log in. UAG Version: 2312/2406 Keycloak Version: 26.0.1 The error in Keycloak is that the disabled "rsa-sha1" algorithm is used; ``` 2024-11-08 16:07:19,951 ERROR [org.keycloak.protocol.saml.SamlService] (executor-thread-92) request validation failed: org.keycloak.common.VerificationException: Error validating signature ... 19 more Caused by: javax.xml.crypto.MarshalException: It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 when secure validation is enabled ... 18 more ``` I captured the SAML authentication process and found that the "rsa-sha1" encryption algorithm was indeed used in the request. ``` <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.208.0.251/portal/samlsso" Destination="https://sso.ccut.edu.cn/realms/master/protocol/saml" ForceAuthn="true" ID="_4da7d4 53d7418107f29c77a116386310" IssueInstant="2024-11-08T07:35:26.113Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="portal" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://10.208.0.251/portal</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http:// www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI="#_4da7d453d7418107f29c77a116386310"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/x ml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>h9iQYKBELBTK3kj3a820nDYPcUWoh1PPad4kzNG+l18=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Uhfgiz69RM5COQaIeSwfufqYBEC5ErhgMT+kvpEBiS1ickQ7 GSVxN0WxfnXkBry7A0uHp0VM5KV1 JEhMXvGfivmCZDEx+CLgAEp6x0dRI5CI461qUV7HpGyZ9CUe+2MTOqIXe82VUuFPUycjPLyYWuTH /uqqRO3haof1nsWpnZ3Ty ysMQShQOGH9E4Ua1Tbm3KGg0SBB/O0p+mAWdSXHyPGCWunEhIR9u79b DjNOOZ5Fmdr1wN1mc3RpfCLKoUsdrHEeD+3CEQ7Mwir3NHECPx27wBIbaoNSNKgBgq5STIRKFmw6 FcZUZPxqn40tg/Ny /2ARUER0C/XlXy0JT+1yzg== </ds:SignatureValue> </ds:Signature> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2p:NameIDPolicy> </saml2p:AuthnRequest> ``` How should I solve this problem? I saw that the SAML request of others in the forum is correct, for example: ``` <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> ```
Employee Victor León Posted November 8 Employee Posted November 8 Hi, There were security changes to the UAG in version 2312. And sha1 thumbprints are deprecated, not sure if this is the issue tbh. But I would try with sha256 instead. https://kb.omnissa.com/s/article/96373#Deprecation
Alex Li Posted November 9 Author Posted November 9 The configuration you provided is for Connection Server etc, but for POST request for SAML, that doesn't help.
Employee Solution Sascha Warno Posted November 18 Employee Solution Posted November 18 If the IDP metadata does not include a specific signature block UAG will use SHA1 to sign the request. You can add the following into the IdP metadata to make UAG use SHA256. <md:EntityDescriptor ...... > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm=""/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue/> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue/> </ds:Signature> <md:IDPSSODescriptor .... > .. .. .. </md:IDPSSODescriptor> </md:EntityDescriptor> Block to copy in goes from <ds:Signature...> to </ds:Signature> Rest is for placing it in the metadata file. 2
Alex Li Posted November 22 Author Posted November 22 @Sascha Warno Thank you very much, it's working fine now.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now