Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Escape character in SAML response

See original GitHub issue

Describe the bug

I am trying to set up Keycloak as IdP and use it for SSO. The first re-direct (from the application login url to keycloak) works fine, but then, after entering the user credentials I get an “invalid signature” error from the application.

I have checked the SAML response (from keycloak to the application) and I can see that keycloak adds a weird escape character ( ) in the certificate and signature value.

Here is part of the SAML response

`<dsig:Signature xmlns:dsig=“http://www.w3.org/2000/09/xmldsig#”> dsig:SignedInfo <dsig:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” /> <dsig:SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” /> <dsig:Reference URI=“#ID_fde25c3e-6958-4b49-bbe0-e4aeb200de98”> dsig:Transforms <dsig:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature” /> <dsig:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” /></dsig:Transforms> <dsig:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256” /> dsig:DigestValuep3ldrwhvbO1zoeHlhCx9TdZ01hGnw3f3IqBDIT5e1oU=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> dsig:SignatureValue iGNKaLxr3c9CUPpRxC3xeS0grx2FdcXWcWArlqZHdWIjQF0n9Whh5ue00HEmb+Nr5VO9jBUwRwXl VNEARy/4DeAsuXIxej0OYASBMjx+5qfmUIelXKLChTYjrdHyq2ZtD7BWfCrnNLtB7XiZsy8cYm0v ynWLlJTyxUpg+FakcxGNDnSUG6Ofslv6byQDsNY56yvqKCWbcqa1/70PD401E/Gf2XcD4paPAvHX B+wS25QFytqrxumRtlJiKcPS+IB8umpcHG4mKk3Qg9FxCRQk2Pk693VnEtYyQ5VXUTNFW8SfWpnQ xDNSE6h2cevj4nT7NSQDxoNh1LRBokwjUNJWQg==

</dsig:SignatureValue>`

Is there a way to force keycloak to send the signature value in one line line without adding escape characters?

Version

19.0.1

Expected behavior

The xml response should be like <SignatureValue> Ig/yqt/1Vc/5BMxKvFrARvXGv647L4eAF2TSGkfM1Th3eeU2CjaTFHIFZoGXft8q3ALrbSTBIJckXr3ARZJSqzygTgsMwBgiwH5lR4glSPSbilgTVY/nfDiV9c0+ViVSVCh4ASUB5qEVlVBHUwVHX2dxlFMxunJZj+mlOW3PtFL5Ldbc9Primm+lswX8VMMlJOJJ3JwouQ8NsyUKZwyg27bW8GkOwlBgctKVEDl+rLOSoFY4f2YPzSYG9s8H1yz1VJ8dKMSNIGN+OgNdJBOgAREfnyq5GD6qBHRca0i3KDEXi0+5PRd/tcAIcdYIoLUECVkRYvc0SVWk2r3Ys1X0eA== </SignatureValue>

Actual behavior

Instead you get this signature value response <dsig:SignatureValue> iGNKaLxr3c9CUPpRxC3xeS0grx2FdcXWcWArlqZHdWIjQF0n9Whh5ue00HEmb+Nr5VO9jBUwRwXl&#13; VNEARy/4DeAsuXIxej0OYASBMjx+5qfmUIelXKLChTYjrdHyq2ZtD7BWfCrnNLtB7XiZsy8cYm0v&#13; ynWLlJTyxUpg+FakcxGNDnSUG6Ofslv6byQDsNY56yvqKCWbcqa1/70PD401E/Gf2XcD4paPAvHX&#13; B+wS25QFytqrxumRtlJiKcPS+IB8umpcHG4mKk3Qg9FxCRQk2Pk693VnEtYyQ5VXUTNFW8SfWpnQ&#13; xDNSE6h2cevj4nT7NSQDxoNh1LRBokwjUNJWQg== </dsig:SignatureValue>

How to Reproduce?

SAML authentication with signature required, signed document and assertion

Anything else?

No response

Issue Analytics

  • State:open
  • Created a year ago
  • Reactions:5
  • Comments:7

github_iconTop GitHub Comments

1reaction
mverbertcommented, Dec 1, 2022

The problem was triggered by the merge of https://github.com/keycloak/keycloak/pull/9355 , and in particular the unification of the Base64 implementations. Unfortunately it breaks the usage of Microsoft 365 which refuses to validate the new format of the signature. As discussed in https://github.com/keycloak/keycloak/discussions/14500 it would be good to have an acceptable workaround (if not a solution) as it prevents users to upgrade.

0reactions
max-stytchcommented, Dec 3, 2022

I’ve just started experimenting with keycloak version 20 and I’m experiencing something similar to @Kevin-Andrew - after stripping out the #13; char in the signature, I’m able to validate the response signature when the assertion is signed or when the document is signed but not when both are signed. I’m not sure if this is the same issue or a separate one. Has anyone else experienced similar?

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to avoid escape character for "," in the SAML response?
If you want to unescape them, you can use apache commons' StringEscapeUtils. Actually, the value sent from OAM had "/" escape character in...
Read more >
Special characters may cause signed SAML assertion to fail
Special characters may cause signed Security Assertion Markup Language (SAML) assertion to fail. This issue occurs when all of the following ...
Read more >
Keyclaok adding escape character &#13; in signature value in ...
I am trying to set up Keycloak as IdP and use it for SSO. The first re-direct (from the application login url to...
Read more >
saml - ComponentPro
I'm sure there must be a way to prevent escaping the special characters inside the xml - can anyone give me an example...
Read more >
Keycloak adds escape characters in signature and certificate ...
I have checked the SAML response (from keycloak to the ... keycloak adds a weird escape character in the certificate and signature value....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Issue: Stuck on 'Loading the admin console'

Next page

privacyIDEA provider flow configuration cant be oppened (can't convert undefined to object)