Jump to content

SAML Request <SignatureValue> content contains line breaks, resulting in keycloak "invalid signature"


Go to solution Solved by Alex Li,

Recommended Posts

Posted

In my environment, keycloak has mandatory security configuration. If the <SignatureValue> of the SAML Reqeust contains line breaks, authentication will fail.

I tried adding "-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true" to "/opt/vmware/gateway/supervisor/conf/esmanager.ini", but it did not solve the problem;

Saml Request captured by the browser

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.208.0.251/portal/samlsso" Destination="https://sso.ccut.edu.cn/realms/master/protocol/saml" ForceAuthn="false" ID="_8c7436fdf8b208e1678bf5fe87f2db24" IssueInstant="2024-11-27T03:52:01.963Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="portal" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://10.208.0.251/portal</saml2:Issuer>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
   <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
   <ds:Reference URI="#_8c7436fdf8b208e1678bf5fe87f2db24">
    <ds:Transforms>
     <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
    <ds:DigestValue>A+C9aWbncDtUIhDRM1LmuAJ1ZuFzkN8GdEFcTUrU08s=</ds:DigestValue>
   </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>
fHJNAw1ce3CSz70ZIvaftwQyTXZF2zmq5muDYZwNZ6JieflRbNtIzaBAPuk7UAstdhjWVL9w2EOJ
ffeKxUh/c1p/FXD8jWREcvSpezgOKsEw0qmfj0yOa2cvyr7sLM/SAHWzQS42hdXZ2WSTYMW7wNvt
XLHVVxBgxdOEj1agrOqhn9tzbytFOzyaFKRzOPOVTjocoRrEdwR+xP+i8yCnzEWRrTXEFqdQxRWl
limrvLrDFG56wVzz9QDm7hTdeTvStM9i7LLMlbawJ0L1wa4vGFa7sDcog+EgC96WldscQHmB7fbW
W8+j6C+GEBcBojX2kkKNpPG93HuC4tkWToNeQw==
</ds:SignatureValue>
 </ds:Signature>
 <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml2p:NameIDPolicy>
</saml2p:AuthnRequest>

 

Newline character "&#13" can be seen in keycloak log

2024-11-27 11:52:03,191 DEBUG [org.keycloak.protocol.saml.SamlService] (executor-thread-226) SAML POST
2024-11-27 11:52:03,191 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-226) SAML POST Binding
2024-11-27 11:52:03,192 DEBUG [org.keycloak.saml.SAMLRequestParser] (executor-thread-226) <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://10.208.0.251/portal/samlsso" Destination="https://sso.ccut.edu.cn/realms/master/protocol/saml" ForceAuthn="false" ID="_8c7436fdf8b208e1678bf5fe87f2db24" IssueInstant="2024-11-27T03:52:01.963Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="portal" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://10.208.0.251/portal</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8c7436fdf8b208e1678bf5fe87f2db24">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>A+C9aWbncDtUIhDRM1LmuAJ1ZuFzkN8GdEFcTUrU08s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
fHJNAw1ce3CSz70ZIvaftwQyTXZF2zmq5muDYZwNZ6JieflRbNtIzaBAPuk7UAstdhjWVL9w2EOJ&#13;
ffeKxUh/c1p/FXD8jWREcvSpezgOKsEw0qmfj0yOa2cvyr7sLM/SAHWzQS42hdXZ2WSTYMW7wNvt&#13;
XLHVVxBgxdOEj1agrOqhn9tzbytFOzyaFKRzOPOVTjocoRrEdwR+xP+i8yCnzEWRrTXEFqdQxRWl&#13;
limrvLrDFG56wVzz9QDm7hTdeTvStM9i7LLMlbawJ0L1wa4vGFa7sDcog+EgC96WldscQHmB7fbW&#13;
W8+j6C+GEBcBojX2kkKNpPG93HuC4tkWToNeQw==
</ds:SignatureValue>
</ds:Signature><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></saml2p:AuthnRequest>
2024-11-27 11:52:03,195 DEBUG [org.keycloak.protocol.saml.SamlService] (executor-thread-226) ** login request

image.thumb.png.f2292f0c13f61f3e11d5c40874141313.png

  • Replies 1
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

  • Solution
Posted

I found a solution and the test passed, but I don't know if it will cause other problems.
1. Log in to Horizon UAG and go to: /opt/vmware/gateway/supervisor/conf directory;
2. Edit the esmanager.ini file; add "-Dorg.apache.xml.security.ignoreLineBreaks=true"
3. Restart the esamanger service; supervisorctl restart esmanager
4. Check whether the parameter is added; ps -ef|grep ignoreLineBreaks

image.thumb.png.fa169bc4499009e4eaaa6c124adf7388.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...