none
What kind of KeyInfo does ADFS expect to get? RRS feed

  • Question

  • Does anybody know what type of <KeyInfo> does ADFS expect to find in <Signature> field of a SAMLRequest message?

    There are several options to choose from. I'm using Keycloak SAML library, which knows to send this field in <KeyValue> format only (which contains modulus & exponent of the RSA public key). Can ADFS digest this?

    <ds:KeyInfo>
        <ds:KeyValue>
            <ds:RSAKeyValue>
                <ds:Modulus>tfJ29N0G1...</ds:Modulus> 
                <ds:Exponent>AQAB</ds:Exponent>
            </ds:RSAKeyValue>
        </ds:KeyValue>
    </ds:KeyInfo>

    Wednesday, April 26, 2017 12:28 PM

Answers

  • Answering my own question - apparently, the <KeyInfo> format doesn't matter. I got keycloak working with ADFS, while using <KeyValue> format only. As I was told on keycloak-user mailing list, "ADFS should be able to determine the correct certificate for signature validation itself by iterating all available certificates."
    • Marked as answer by Mucius Saturday, April 29, 2017 9:37 AM
    Saturday, April 29, 2017 9:35 AM

All replies

  • Hello Mucius, can you elaborate on which Open specifications documents you are working with ? If you could provide additional details, that would be helpful.

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Thursday, April 27, 2017 12:55 AM
    Moderator
  • Answering my own question - apparently, the <KeyInfo> format doesn't matter. I got keycloak working with ADFS, while using <KeyValue> format only. As I was told on keycloak-user mailing list, "ADFS should be able to determine the correct certificate for signature validation itself by iterating all available certificates."
    • Marked as answer by Mucius Saturday, April 29, 2017 9:37 AM
    Saturday, April 29, 2017 9:35 AM
  • Sorry, maybe I posted this in a wrong place. Didn't find in a list of suggested forums anything closer to the topic.
    Saturday, April 29, 2017 9:37 AM