Enable Signed/Encrypted Assertion with SAML IDP

Hi All,

We are using keycloak (our current version is 17) for almost 3 years now, using MyID as SAML IDP all was fine, now we are asked to enable signed/encrypted assertion.

We got the cert from myid team and validate signature is enabled, problem is when we enable signed/encrypted assertion we get “invalid requester” checking logs we see " The assertion is not encrypted, which is required"

So does that mean there is missing configuration from MyID side or how should we resolve that.

Appreciate your help please.

1 Like

To achieve SAML encryption, the SAML response received by Keycloak must be signed using a public key from your realm – so you need to give the identity provider your public certificate (see Realm Settings → Keys → RS256 for example), so they can do that. When the SAML response is received by the SP (Keycloak), your private key is used to decrypt the assertion.

For SAML signature verification (unlike SAML encryption), the identity provider will send you their public key that they used to create the signature. This can be used to verify the signature by adding their certificate to the identity provider config and flipping the signature verification flag on.

In other words: It sounds like you need to send the identity provider your public key and ask them to encrypt the assertion using that key. Also, if you want the assertion signed, then you will need to configure that in the Keycloak Identity provider by enabling signature validation and also adding their public key.

I hope that helps.

sso - SAML assertion encryption and using same key for encryption as signing - Information Security Stack Exchange.