Enhancing SAML response with some xml tags?

I try to configure Keycloak 8.0.1 to work with a Qlik Server using SAML (SP initated).
Redirect from Qlik to Keycloak works. Also the login to Keycloak.
The Keycloak server sends the following SAML response back to the Qlik server:

    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://appservermaster:443/keycloak/samlauthn/" ID="ID...73b" InResponseTo="_...6" IssueInstant="2020-01-23T16:02:02.923Z" Version="2.0">
	<saml:Issuer>https://localhost:8443/auth/realms/qlik</saml:Issuer>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
	</samlp:Status>
	<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_...ff" IssueInstant="2020-01-23T16:02:02.923Z" Version="2.0">
		<saml:Issuer>https://localhost:8443/auth/realms/qlik</saml:Issuer>
		<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
			<dsig:SignedInfo>
				<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<dsig:Reference URI="#ID_c8a7a38b-f805-4fb0-a154-dd8810de52ff">
					<dsig:Transforms>
						<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
						<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
					</dsig:Transforms>
					<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
					<dsig:DigestValue>esh...QE=</dsig:DigestValue>
				</dsig:Reference>
			</dsig:SignedInfo>
			<dsig:SignatureValue>n+...Gg==</dsig:SignatureValue>
			<dsig:KeyInfo>
				<dsig:KeyName>yu...us</dsig:KeyName>
				<dsig:X509Data>
					<dsig:X509Certificate>MI...PYI</dsig:X509Certificate>
				</dsig:X509Data>
				<dsig:KeyValue>
					<dsig:RSAKeyValue>
						<dsig:Modulus>pIY...xvw==</dsig:Modulus>
						<dsig:Exponent>A...</dsig:Exponent>
					</dsig:RSAKeyValue>
				</dsig:KeyValue>
			</dsig:KeyInfo>
		</dsig:Signature>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">qlikuser</saml:NameID>
			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
				<saml:SubjectConfirmationData InResponseTo="_3330...c6" NotOnOrAfter="2020-01-23T16:07:00.923Z" Recipient="https://appservermaster:443/keycloak/samlauthn/"/>
			</saml:SubjectConfirmation>
		</saml:Subject>
		<saml:Conditions NotBefore="2020-01-23T16:02:00.923Z" NotOnOrAfter="2020-01-23T16:03:00.923Z">
			<saml:AudienceRestriction>
				<saml:Audience>qliklogin</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AttributeStatement>
			<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">qlikuser</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">qlikuser</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

The Qlik server responds with a 400 status code.
According to the Qlik Support team this seems to be the problem:


The SAML Response from Keycloak should have some additional xml tags…

How can I add the “needed” tags to the Keycloak SAML Response?

Thanks,

remsy

When looking into the Qlik Sense Proxy (Trace/Audit_proxy) the following WARN message: SAML assertion was not signed properly with any of the certificates provided in the IdP metadata

So try to sign assertion; SAML client config contains button with this function:

You may neeed to change other config options as well. I don’t know.

1 Like

Thanks for your reply,

Finally after switching to the settings you provided it worked.
Sign assertions was already enabled, but I used previously SHA-1 as the signature algorithm.
Changing that to RSA_SHA256 solved my problem.
These settings worked for me: