Jump to content

Recommended Posts

Posted

I use KeyCloak as the IDP for UAG, and an error occurs when I try to log in.

UAG Version: 2312/2406

Keycloak Version: 26.0.1

The error in Keycloak is that the disabled "rsa-sha1" algorithm is used;
```
2024-11-08 16:07:19,951 ERROR [org.keycloak.protocol.saml.SamlService] (executor-thread-92) request validation failed: org.keycloak.common.VerificationException: Error validating signature
... 19 more
Caused by: javax.xml.crypto.MarshalException: It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 when secure validation is enabled
... 18 more
```


I captured the SAML authentication process and found that the "rsa-sha1" encryption algorithm was indeed used in the request.
``` <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.208.0.251/portal/samlsso" Destination="https://sso.ccut.edu.cn/realms/master/protocol/saml" ForceAuthn="true" ID="_4da7d4 53d7418107f29c77a116386310" IssueInstant="2024-11-08T07:35:26.113Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="portal" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://10.208.0.251/portal</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http:// www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod> <ds:Reference URI="#_4da7d453d7418107f29c77a116386310"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2001/10/x ml-exc-c14n#"></ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod> <ds:DigestValue>h9iQYKBELBTK3kj3a820nDYPcUWoh1PPad4kzNG+l18=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> Uhfgiz69RM5COQaIeSwfufqYBEC5ErhgMT+kvpEBiS1ickQ7 GSVxN0WxfnXkBry7A0uHp0VM5KV1 JEhMXvGfivmCZDEx+CLgAEp6x0dRI5CI461qUV7HpGyZ9CUe+2MTOqIXe82VUuFPUycjPLyYWuTH /uqqRO3haof1nsWpnZ3Ty ysMQShQOGH9E4Ua1Tbm3KGg0SBB/O0p+mAWdSXHyPGCWunEhIR9u79b DjNOOZ5Fmdr1wN1mc3RpfCLKoUsdrHEeD+3CEQ7Mwir3NHECPx27wBIbaoNSNKgBgq5STIRKFmw6 FcZUZPxqn40tg/Ny /2ARUER0C/XlXy0JT+1yzg== </ds:SignatureValue> </ds:Signature>
<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2p:NameIDPolicy>
</saml2p:AuthnRequest>
```

How should I solve this problem? I saw that the SAML request of others in the forum is correct, for example:
```
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
```

  • 2 weeks later...
  • Employee
  • Solution
Posted

If the IDP metadata does not include a specific signature block UAG will use SHA1 to sign the request. You can add the following into the IdP metadata to make UAG use SHA256.

<md:EntityDescriptor ...... >
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm=""/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue/>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue/>
    </ds:Signature>
    <md:IDPSSODescriptor .... >
       ..
	   ..
	   ..
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Block to copy in goes from <ds:Signature...>  to </ds:Signature> 

Rest is for placing it in the metadata file.

  • Insightful 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...