Keycloak SAML KeyDescriptor not specifying encryption use

Keycloak’s SAML descriptor is correctly sending the Certificate information for signing, but it is not specifying a certificate for encryption. Because of this, my Client is not expecting encryption to be used… and then cannot decrypt responses back from Keycloak. Keycloak should be setting the “use” to also include “encryption”. Is that possible? Let me know if my question is not clear in some way. Here is more detailed information on exactly what we are seeing:

See below where the usage is “signing” need to also specify a certificate for “encryption”. When we enable Assertion Encryption in the Client settings it fails, since the SAML Descriptor isn’t specifying a certificate to use w/ Encryption.


Basically this (although it says fixed):

Sorry for so many posts… this forum is really limiting for new users, keep getting this:
Sorry, new users can only put 2 links in a post.

It is available in the SPSSODescriptor, not in IDPSSODescriptor. Check:

Thanks for the reply. However, specifying an additional use of the key is part of the IDPSSODescriptor. Keycloak currently states “signing” as a “use” but it should also include “encryption” as a use when encryption is enabled on the Client.

Thanks again @jangaraj for the info.

Ended up being a misinterpretation by the Service Provider on how SAML encryption should work. The software was looking for the IDP to provide an encryption certificate. The software problem on the SP side has been changed to use the SP’s private key to decrypt the assertion. No changes required on the Keycloak side.

I’m facing a somewhat (perhaps?) similare situation.
I need the IDPSSODescriptor to contain a keydescriptor use-attribute of the type encryption without doing any hacks. The reason is some of our customer are all using the same IdP-proxy service that demands this. There’s nothing I can do to change that. Any ideas not including replacing Keycloak? :slight_smile: