how to get saml-metadata for keycloak as sp with certificate - saml

I have set up a keycloak server. Then I created a realm an in that realm an SAML-IDP. So my keycloak server is a SAML-SP that uses that IDP for authentication. The IDP needs the SAML-Metadata. I can export it in the keycloak admin console in the "export" tab of the IDP Entry. I can also download it here:
http[s]://{host:port}/auth/realms/{realm-name}/broker/{broker-alias}/endpoint/descriptor
But the metadata does not contain a X509 certificate:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://keycloak.sample/auth/realms/nodejs-example">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.sample/auth/realms/nodejs-example/broker/idp.devel/endpoint"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</NameIDFormat>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.sample/auth/realms/nodejs-example/broker/idp.devel/endpoint"
index="1" isDefault="true" />
</SPSSODescriptor>
</EntityDescriptor>
How do I get one into the metadata?

Question:
The SAML SP metadata does not contain a X509 certificate.
How do I get one into the metadata?
Answer:
It is OK that SAML SP metadata of Keycloak does NOT contain a X509 certificate if (I) Keycloak SAML SP does NOT need to sign SAML authentication request or (II) SAML IdP is NOT require to encrypt SAML assertion for Keycloak SAML SP.
(1) SAML SP metadata does NOT necessarily contain a X509 certificate. That is, X509 certificate is NOT mandatory for SAML SP metadata.
For example, both Google G Suite and ComponentSpace provide SAML SP metadata without X509 certificate.
(I) SAML SP metadata of Google G Suite does NOT contain a X509 certificate. I uploaded SAML SP metadata of Google G Suite into Shibboleth SAML IdP server and then logged in to Google G Suite through SAML authentication provided by Shibboleth SAML IdP successfully.
For your reference on SAML SP metadata without X509 certificate, I have made the 14th commit to upload the Google G Suite SAML SP metadata and corresponding SAML configuration to How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository.
(II) The ComponentSpace Development provides the guidance on how to generates SAML service provider metadata with no certificates.
No signature or encryption certificates were specified so no certificates were included in the generated metadata.
ExportMetadata.exe
SAML configuration file to export [saml.config]:
X.509 signature certificate file [None]:
X.509 encryption certificate file [None]:
Assertion Consumer Service URL [None]: http://localhost:51901/SAML/AssertionConsumerService.aspx
Single Logout Service URL [None]:
Partner Identity Provider Name [None]:
SAML metadata file [metadata.xml]:
(2) SAML SP metadata needs to contain a X509 certificate if SAML SP needs to sign SAML authentication request or SAML IdP needs to encrypt SAML assertion.
(3) Quite different from SAML SP, SAML IdP metadata should contain at least one X509 certificate for signing SAML response/assertion.
Follow-up answer provided by Galdor:
If you require SAML IdP to encrypt SAML assertion for Keycloak SAML SP
(I) Set "Want Assertions Encrypted" in the IDP-Configuration to ON and instantly the X509Certificate entry appears in the Export tab.
(II) Download SAML SP metadata of Keycloak, which should contain X509 certificate for encryption.

According to winstonhongs answer the keycloak server doesn't need a certificate in this configuration.
I set "Want Assertions Encrypted" in the IDP-Configuration to ON and instantly the X509Certificate entry appears in the Export tab.

You can now in KC 13.0.1 sing your metadata with your realm keypair.
Check more here: https://www.keycloak.org/docs/latest/server_admin/#saml-v2-0-identity-providers
Sign Service Provider Metadata - If true, it will use the realm’s keypair to sign the SAML Service Provider Metadata descriptor.

Related

Keycloak as a Service Provider - setting up a signing certificate

How do I install a signing certificate in Keycloak when using Keycloak as a Service Provider (SP) that should connect to a (non-Keycloak) Identity Provider (IdP)?
To be more precise, Keycloak should be used as an Identity Broker (as described in the Keycloak documentation) and the communication between the Keycloak SP and the IdP is going to be facilitated via the SAML 2.0 protocol.
The Keycloak documentation contains information on how to install SSL certificates for doing "normal" HTTPS communication e.g. in the browser, but I cannot find anything regarding the installation of signing certificates to be used in the backend-to-backend SAML communication with the IdP. Does anyone know how to do this?
(Maybe only one certificate is installed into Keycloak, i.e. this certificate is used for both SAML communication and other non-SAML Keycloak HTTPS communication?)
How do you see which Certificate is used by your SP for signing/encrypting SAML messages for/to the external IDP?
Go to Identity Providers -> your configured SAML IDP -> Export. The export contains the certificate which is used for signing/encryption. There must be at least one activated signing/encryption config in your IDP, otherwise you will not see a cert in the export
How can I change the Certificate used by my configured IDP?
When creating a realm, keycloak generates a RSA-SHA256 Cert which will by default be used by your configured IDP-Brokering Settings.
Go to Realm Settings -> Keys and you will see this one RS256 (RSA) with the provider (rsa-generated)
If you need another cert, switch to Providers Tab, Add Keystore e.g. rsa. Import your private key and certificate (both as PEM format!)
Back on the overview, disable the rsa-generated provider, your new generated provider should be the only active one with type RS256
If you now check the Export of your IDP again, the imported cert should be used inside the XML

Who signs the SAML Digital Signature

I'm a Service Provider, and the SME for the Identity Provider has specified that they require that the SP provide them a certificate different from the standard server certificate.
Every SSO Integration I've accomplished so far has had the IdP provide me with the certificate.
Is a SP able create and provide a separate certificate to the IdP?
Currently, the IdP SME is advising that unless I can provide this, he won't enable Solicited SSO(SP-Initiated SSO).

Setting up a new Shibboleth IdP to work with an existing SAML SP

Hopefully this isn't a duplicate or too broad. I just have a feeling I need a bit more information than anything else I've been able to find.
I have a program/server that already has a functioning SAML SP built in to it. I'm trying to get it connected to a test Shibboleth IdP (V3.3.3) on an internal server running Windows Server. I have it installed and connected to our Active Directory users. The documentation was great for getting to that point.
Now I have no earthly clue how to proceed. I see a lot of information about exchanging configuration/XML info and certificates between SPs and IdPs. I believe I have a valid SP XML and certificate to give to the IdP, but I don't know:
Where to put the SP XML information in the IdP installation
Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)
Where to get the IdP certificate (I think the default setup generates something for me? Unclear)
Where the IdP login path is
Whether or not there's anything else I need to configure to get the two talking
1 through 4 are probably my biggest confusions that I can't seem to find info on. The Shibboleth documentation seems to assume I am far more familiar with configuring an IdP than I am. It tells me where to configure literally anything/everything possible, but I don't know what I should be configuring.
Anyhow, thanks for any help on this. I've been wasting a pitiful amount of time trying to figure this out.
To answer your five (5) questions, without loss of generality, we assume that
(I) the metadata file of SAML IdP is idpsaml-metadata.xml
(II) the metadata file of SAML SP is sp-example-org.xml
Q&A
Where to put the SP XML information in the IdP installation
Answer: /opt/shibboleth-idp/metadata/sp-example-org.xml
Where to put the SP certificate in the IdP installation (or setup/configure a path to a certificate)
Answer: The metadata file of SAML SP consists of the SP certificate.
SAML IdP will extract SP certificate from SAML SP's metadata (e.g., sp-example-org.xml)
Where to get the IdP certificate (I think the default setup generates something for me? Unclear)
Answer: The metadata file of SAML IdP consists of all the IdP certificates (which have been generated by the default setup of SAML IdP).
You need to place the metadata file of SAML IdP (e.g., idpsaml-metadata.xml) into the SAML SP's home directory, e.g., /etc/shibboleth/idpsaml-metadata.xml
Where the IdP login path is
Answer: Usually SAML SP uses HTTP-POST endpoint as SAML IdP login path, e.g.,
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://IdP-Server-URL/idp/profile/SAML2/POST/SSO"/>
You also need to configure Shibboleth IdP with LDAP user authentication.
/opt/shibboleth-idp/conf/idp.properties
/opt/shibboleth-idp/conf/ldap.properties
/opt/shibboleth-idp/conf/attribute-filter.xml
/opt/shibboleth-idp/conf/attribute-resolver-full.xml
Whether or not there's anything else I need to configure to get the two talking
Answer: To allow SAML IdP to provide identity authentication for SAML SP, both SAML IdP and SAML SP need to exchange their metadata.
Then you need to configure SAML IdP with SAML SP.
SAML IdP
/opt/shibboleth-idp/conf/metadata-providers.xml
/opt/shibboleth-idp/conf/relying-party.xml
SAML SP
/etc/shibboleth/shibboleth2.xml
/etc/shibboleth/attribute-map.xml
Remarks:
How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides the sample configuration files for Shibboleth IdP and SP.

Spring SAML - Use CA Root Cert instead of Server public cert in JKS

I have a Spring SAML project that has a JKS with the public certificate of the IDP loaded into it. I have a theoretical question:
If I were to load in the issuing root or intermediate CA into the JKS, would that be sufficient for trusting the IDP and validating the IDP SAML messages? The benefit to doing this would be that future IDPs with a common issuer would be trusted without having to load in their certificate.
My understanding is that the actual public certificate of the IDP needs to be in the JDK so that Spring SAML can validate the request, however, isn't the X509 in the request sufficient for doing this and it's just a matter of validating that the certificate in the IDPs public metadata is from a trusted issuer?
I'm a bit over my head with this. Any insight or explanation will be greatly appreciated!
Yes, you can do that with the PKIX security profile. Loading the IDP certs into the keystore should be enough (provided the trustedKeys in extendedMetadata is null, which is the default).
See the manual, chapter security profiles for all the details.

Self-Signed Certificate with SAML 2.0

Is it possible to sign a SAML 2.0 post with a self-signed certificate? I am in charge of implementing a new SSO procedure with a vendor using SAML 2.0 and we trying to determine if we can sign the SAML post with a self-signed certificate or if we need to buy one.
If we can use a self-signed certificate, does the Service Provider need to do any additional steps to verify the signature? We are creating the SAML 2.0 post as the Identity Provider.
Thanks in advance.
Yes, I assume you mean signing the Assertion that is returned via POST binding (see SAML 2.0 Profiles, section 4.1.4.5). The SAML 2.0 specification mandates it be signed for SSO, but doesn't get into specifics of CA signed vs. self-signed.
Check with your software (both IdP and SP side) to see what is supported - some have limitations in this regard.
The SAML spec actually recommends that you use long-lived self-signed certificates. See this document for more info