Keycloak SAML Response DigestValue fails validation #29454
Replies: 1 comment
-
This is related or explained by #22962 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi all - I am setting up a third-party app with SAML SSO thru Keyclock (24.0.4); the realm is set up to use Microsoft Entra ID as the IdP, in which my user account is included. Using IdP-initiated SSO the auth process thru Entra ID is successful, as well as the redirect back to the app, but SSO ultimately fails within the app. I have tested a number of different settings in both the app and Keycloak including the certificate, Audience, Issuer, NameId formats, and canonicalization, but the app still could not complete SSO.
I fed the SAML response from Keycloak into samltool.io, and it reported an invalid document signature:
samlResponse_digestValue.txt
My understanding of the digest is that it is a base64-encoded hash of the Response (or Attributes, depending on the Keycloak setting) meant to verify the response was not modified en route. I do not know how samltool.io does its validation, but I am wondering if the invalid signature error is preventing the SP from completing SSO.
Beta Was this translation helpful? Give feedback.
All reactions