I am trying to secure my Java web application using Keycloak SAML authentication but somehow when I am trying to generate the AuthnRequest it is not passing <ds:DigestValue> and <ds:SignatureValue> and may be because of the keycloak is giving below error:
2023-10-24 09:08:03,777 ERROR [org.keycloak.protocol.saml.SamlService] (executor-thread-21) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
To generate AuthnRequest my code is as below:
public AuthnRequest buildRequest(String spProviderId, String acsUrl, String idpUrl) {
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject("urn:oasis:names:tc:SAML:2.0:assertion", "Issuer", "saml2");
issuer.setValue(spProviderId);
/* Creation of AuthRequestObject */
DateTime issueInstant = new DateTime();
AuthnRequestBuilder authRequestBuilder = new AuthnRequestBuilder();
AuthnRequest authRequest = authRequestBuilder.buildObject(SAMLConstants.SAML20P_NS, "AuthnRequest", "saml2");
authRequest.setForceAuthn(false);
authRequest.setIssueInstant(issueInstant);
authRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
authRequest.setAssertionConsumerServiceURL(acsUrl);
authRequest.setIssuer(issuer);
authRequest.setID(generateID());
authRequest.setVersion(SAMLVersion.VERSION_20);
authRequest.setDestination(idpUrl);
authRequest.setNameIDPolicy(buildNameIdPolicy());
XMLObjectBuilder<Signature> signFactory = Configuration.getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME);
Signature signature = signFactory.buildObject(Signature.DEFAULT_ELEMENT_NAME);
Credential cred = null;
try {
cred = this.getSenderSigningCredential();
//signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
// signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
signature.setSigningCredential(cred);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// Perform signing
try {
SecurityHelper.prepareSignatureParams(signature, cred, null, null);
SecurityConfiguration secConfiguration = Configuration.getGlobalSecurityConfiguration();
NamedKeyInfoGeneratorManager namedKeyInfoGeneratorManager = secConfiguration.getKeyInfoGeneratorManager();
KeyInfoGeneratorManager keyInfoGeneratorManager = namedKeyInfoGeneratorManager.getDefaultManager();
KeyInfoGeneratorFactory keyInfoGeneratorFactory = keyInfoGeneratorManager.getFactory(cred);
KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
KeyInfo keyInfo = null;
try {
keyInfo = keyInfoGenerator.generate(cred);
} catch (Exception e) {
e.printStackTrace();
}
signature.setKeyInfo(keyInfo);
authRequest.setSignature(signature);
Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(authRequest);
marshaller.marshall(authRequest);
Signer.signObject(signature);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return authRequest;
}
But when I am printing it XML it is showing as below:
<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:9222/saml/*" Destination="http://localhost:8280/realms/IDP_REALM/protocol/saml" ForceAuthn="false" ID="_4479bf8ac628da22c598a8427556a2ef5be431e5" IssueInstant="2023-10-23T16:26:45.682Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2p:Issuer xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:assertion">Sample</saml2p:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Reference URI="#_4479bf8ac628da22c598a8427556a2ef5be431e5" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICmzCCAYMCBgGK23vMZzANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZTYW1wbGUwHhcNMjMw
OTI4MTEwODU4WhcNMzMwOTI4MTExMDM4WjARMQ8wDQYDVQQDDAZTYW1wbGUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCrxYgVkHoGaC1PAvffPNJYIVbZqfaoRInDI74CqRHoLCm
aaTfhzwfXrrOU/ys72Ult4Ff3wC8iQjONtNJTv0XTHw1vpnuOXzqMZ62N7IAE+N2J0UpK8+3yE1q
Xlss07qiHl6Bege+epk+Ae/iqiqyg1vre/8JUe61cbpWSlsQFb+O0/wrl9o576ak3BPo3zWgy
W/APTfI0jkNoJpflrMK2ahk51lIzjxwLyYAnsOKw5VGnAYxDL3nDXcuY3aERB9rZec7YVA/hzWcg
OUeWEhnmd3xCmw2kZ1MHcIs8dpFHJdhH6TgZljHhC7B/KhC1yRwMWCyFAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBAKsqbTj9F0tUyKNDAUPwXh8dFfR0ztKNjUXxMHzf5ufU
Cj7cDK3p3PSN/a4KlIj18A86BZ4ABU8oUJja0XG2Jt5MgoaifktC+ymYN73q6kLx4IklG5y3U5RS
3W7jKXd9lf/kE+n4tUjzETfISpUdx/80asWU5WLlcoYUk0jK8u3u10kYMkGVcpxchy32KUxEQ6i8
6ODZZ0qlKCwAuELPdDrK+SwVvJL3gBbCoxcNNJWKWj5VAGwdqzorrE2uHuhzSmDYMQYRkCGedexV
Rrkp8byYxR3cpnh4OZr32E9XcvhLyQUJqsMuYHouRa99wYIW3Dr/CUW0K10=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"/></saml2p:AuthnRequest>
How can I set those two values, or why keycloak is giving that error?