Saml with Keycloak, signing and encryption confusion

[chunkyen]

Hi, I have configured my Cloudstack 4.22 to integrate with Keycloak 26.5.5 via Saml.
I have read #4519 and it seems to imply that Cloudstack supports both signing and encryption for the payload for Saml.

However, to get my Keycloak to work, I need to turn off encryption of the assertions. Else, I will get "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name." which I think is because Cloudstack is not able to decrypt the payload from Keycloak. I am using the Key that is provided from the getSPMetadata for both the signing and encryption in Keycloak.

For the signing, there is a Global configuration named "saml2.check.signature". However, even with this turned on, I can still sign in using Saml when "Client signature required" setting is turned OFF in Keycloak. So I am not sure if the Cloudstack "saml2.check.signature" settings is actually enforcing signature checking requirement.

Edit, there are 2 settings in Keycloak for signature Sign Documents and Sign assertions, Sign Documents also include Sign assertions. So with Sign Documents disabled and saml2.check.signature enabled, I am not able to sign in which is the correct behaviour (see error screen below). Sign assertions will have no impact to Saml when integrating with cloudstack

[kiranchavala]

@chunkyen

Are you using a http or a https enabled cloudstack setup ?

[chunkyen]

Https with self signed cert on cloudstack and keycloak.

[chunkyen]

Apologies, I have forgotten my config. Although Cloudstack uses https, Keycloak is using http. I am also not able to use the https cloudstack endpoint as a redirect url, so I have also switched it to http. How will this affect the signing and encryption in SAML @kiranchavala ?

[gp-santos]

@chunkyen are you using Keycloak's default metadata URL? Could you check if there is only one KeyDescriptor and if it has the use=signing attribute? If so, try this.