Add documentation for SAML SP metadata changes in KC 21 (#1760)
This commit is contained in:
parent
eb2f9e9921
commit
28ca30efc6
3 changed files with 45 additions and 3 deletions
|
@ -16,3 +16,25 @@ See the migration guide for details.
|
||||||
We removed the out-of-box support for Hashicorp vault in this release.
|
We removed the out-of-box support for Hashicorp vault in this release.
|
||||||
|
|
||||||
See this https://github.com/keycloak/keycloak/discussions/16446[discussion] for more details.
|
See this https://github.com/keycloak/keycloak/discussions/16446[discussion] for more details.
|
||||||
|
|
||||||
|
= SAML SP metadata changes
|
||||||
|
|
||||||
|
Prior to this release, SAML SP metadata contained the same key for both
|
||||||
|
signing and encryption use. Starting with this version of Keycloak,
|
||||||
|
we include only encryption intended realm keys for encryption use
|
||||||
|
in SP metadata. For each encryption key descriptor we also specify
|
||||||
|
the algorithm that it is supposed to be used with. The following table shows
|
||||||
|
the supported XML-Enc algorithms with the mapping to Keycloak realm keys.
|
||||||
|
See the link:{upgradingguide_link}[{upgradingguide_name}] for more details.
|
||||||
|
|
||||||
|
[cols="1,1"]
|
||||||
|
|===
|
||||||
|
|*XML-Enc algorithm*
|
||||||
|
|*Keycloak realm key algorithm*
|
||||||
|
|
||||||
|
|https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p[rsa-oaep-mgf1p]
|
||||||
|
|RSA-OAEP
|
||||||
|
|
||||||
|
|https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5[rsa-1_5]
|
||||||
|
|RSA1_5
|
||||||
|
|===
|
|
@ -64,8 +64,13 @@ We recommend to use some more secure algorithm instead of `*_SHA1`. Also, with `
|
||||||
do not work if the SAML identity provider (for example another instance of {project_name}) runs on Java 17 or higher.
|
do not work if the SAML identity provider (for example another instance of {project_name}) runs on Java 17 or higher.
|
||||||
|
|
||||||
|Encryption Algorithm
|
|Encryption Algorithm
|
||||||
|Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key
|
|Encryption algorithm, which is used by SAML IDP for encryption of SAML
|
||||||
for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage.
|
documents, assertions, or IDs. The corresponding decryption key for decrypt
|
||||||
|
SAML document parts will be chosen based on this configured algorithm and
|
||||||
|
should be available in realm keys for the encryption (ENC) usage. If the
|
||||||
|
algorithm is not configured, any supported algorithm is allowed and a
|
||||||
|
decryption key will be chosen based on the algorithm specified in SAML document
|
||||||
|
itself.
|
||||||
|
|
||||||
|SAML Signature Key Name
|
|SAML Signature Key Name
|
||||||
|Signed SAML documents sent using POST binding contain the identification of signing key in `KeyName` element, which, by default, contains the {project_name} key ID. External SAML IDPs can expect a different key name. This switch controls whether `KeyName` contains:
|
|Signed SAML documents sent using POST binding contain the identification of signing key in `KeyName` element, which, by default, contains the {project_name} key ID. External SAML IDPs can expect a different key name. This switch controls whether `KeyName` contains:
|
||||||
|
|
|
@ -34,3 +34,18 @@ algorithms do not work on Java 17 or higher. If you use this algorithm and the o
|
||||||
|
|
||||||
The possible workaround is to remove algorithms such as `++http://www.w3.org/2000/09/xmldsig#rsa-sha1++` or `++http://www.w3.org/2000/09/xmldsig#dsa-sha1++` from the list
|
The possible workaround is to remove algorithms such as `++http://www.w3.org/2000/09/xmldsig#rsa-sha1++` or `++http://www.w3.org/2000/09/xmldsig#dsa-sha1++` from the list
|
||||||
of "disallowed algorithms" configured on property `jdk.xml.dsig.secureValidationPolicy` in the file `$JAVA_HOME/conf/security/java.security`.
|
of "disallowed algorithms" configured on property `jdk.xml.dsig.secureValidationPolicy` in the file `$JAVA_HOME/conf/security/java.security`.
|
||||||
|
|
||||||
|
= SAML SP metadata changes
|
||||||
|
|
||||||
|
In this version, Keycloak will refuse to decrypt assertions encrypted using
|
||||||
|
a realm key generated for signing purpose. This change means all encrypted
|
||||||
|
communication from IDP to SP (where Keycloak acts as the SP) will stop working.
|
||||||
|
|
||||||
|
There are two ways to make this work:
|
||||||
|
|
||||||
|
- either update the IDP configuration with the metadata generated by a newer
|
||||||
|
version of Keycloak,
|
||||||
|
- or run Keycloak in backward compatibility mode that will make Keycloak
|
||||||
|
work with the metadata generated by older Keycloak versions. This mode can be
|
||||||
|
enabled using `-Dkeycloak.saml.deprecated.encryption=true` flag. Note this
|
||||||
|
backward compatibility mode is planned to be removed in Keycloak 24.
|
||||||
|
|
Loading…
Reference in a new issue