Escape character in SAML response
See original GitHub issueDescribe the bug
I am trying to set up Keycloak as IdP and use it for SSO. The first re-direct (from the application login url to keycloak) works fine, but then, after entering the user credentials I get an “invalid signature” error from the application.
I have checked the SAML response (from keycloak to the application) and I can see that keycloak adds a weird escape character ( ) in the certificate and signature value.
Here is part of the SAML response
`<dsig:Signature xmlns:dsig=“http://www.w3.org/2000/09/xmldsig#”> dsig:SignedInfo <dsig:CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” /> <dsig:SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” /> <dsig:Reference URI=“#ID_fde25c3e-6958-4b49-bbe0-e4aeb200de98”> dsig:Transforms <dsig:Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature” /> <dsig:Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” /></dsig:Transforms> <dsig:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256” /> dsig:DigestValuep3ldrwhvbO1zoeHlhCx9TdZ01hGnw3f3IqBDIT5e1oU=</dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> dsig:SignatureValue iGNKaLxr3c9CUPpRxC3xeS0grx2FdcXWcWArlqZHdWIjQF0n9Whh5ue00HEmb+Nr5VO9jBUwRwXl VNEARy/4DeAsuXIxej0OYASBMjx+5qfmUIelXKLChTYjrdHyq2ZtD7BWfCrnNLtB7XiZsy8cYm0v ynWLlJTyxUpg+FakcxGNDnSUG6Ofslv6byQDsNY56yvqKCWbcqa1/70PD401E/Gf2XcD4paPAvHX B+wS25QFytqrxumRtlJiKcPS+IB8umpcHG4mKk3Qg9FxCRQk2Pk693VnEtYyQ5VXUTNFW8SfWpnQ xDNSE6h2cevj4nT7NSQDxoNh1LRBokwjUNJWQg==
</dsig:SignatureValue>`
Is there a way to force keycloak to send the signature value in one line line without adding escape characters?
Version
19.0.1
Expected behavior
The xml response should be like
<SignatureValue> Ig/yqt/1Vc/5BMxKvFrARvXGv647L4eAF2TSGkfM1Th3eeU2CjaTFHIFZoGXft8q3ALrbSTBIJckXr3ARZJSqzygTgsMwBgiwH5lR4glSPSbilgTVY/nfDiV9c0+ViVSVCh4ASUB5qEVlVBHUwVHX2dxlFMxunJZj+mlOW3PtFL5Ldbc9Primm+lswX8VMMlJOJJ3JwouQ8NsyUKZwyg27bW8GkOwlBgctKVEDl+rLOSoFY4f2YPzSYG9s8H1yz1VJ8dKMSNIGN+OgNdJBOgAREfnyq5GD6qBHRca0i3KDEXi0+5PRd/tcAIcdYIoLUECVkRYvc0SVWk2r3Ys1X0eA== </SignatureValue>
Actual behavior
Instead you get this signature value response
<dsig:SignatureValue> iGNKaLxr3c9CUPpRxC3xeS0grx2FdcXWcWArlqZHdWIjQF0n9Whh5ue00HEmb+Nr5VO9jBUwRwXl VNEARy/4DeAsuXIxej0OYASBMjx+5qfmUIelXKLChTYjrdHyq2ZtD7BWfCrnNLtB7XiZsy8cYm0v ynWLlJTyxUpg+FakcxGNDnSUG6Ofslv6byQDsNY56yvqKCWbcqa1/70PD401E/Gf2XcD4paPAvHX B+wS25QFytqrxumRtlJiKcPS+IB8umpcHG4mKk3Qg9FxCRQk2Pk693VnEtYyQ5VXUTNFW8SfWpnQ xDNSE6h2cevj4nT7NSQDxoNh1LRBokwjUNJWQg== </dsig:SignatureValue>
How to Reproduce?
SAML authentication with signature required, signed document and assertion
Anything else?
No response
Issue Analytics
- State:
- Created a year ago
- Reactions:5
- Comments:7
Top GitHub Comments
The problem was triggered by the merge of https://github.com/keycloak/keycloak/pull/9355 , and in particular the unification of the Base64 implementations. Unfortunately it breaks the usage of Microsoft 365 which refuses to validate the new format of the signature. As discussed in https://github.com/keycloak/keycloak/discussions/14500 it would be good to have an acceptable workaround (if not a solution) as it prevents users to upgrade.
I’ve just started experimenting with keycloak version 20 and I’m experiencing something similar to @Kevin-Andrew - after stripping out the
#13;
char in the signature, I’m able to validate the response signature when the assertion is signed or when the document is signed but not when both are signed. I’m not sure if this is the same issue or a separate one. Has anyone else experienced similar?