Keycloak SAML support for rsa-sha1

Hello,

I am trying to sign into an application using keycloak with SAML.

I have created the keycloak client that matches the SAML issuer name. When I get taken to the keycloak login page via the app I now see: " We are sorry… Invalid requester"

From a deeper look, keycloak logs has this error:
Caused by: org.keycloak.saml.common.exceptions.ProcessingException: javax.xml.crypto.dsig.XMLSignatureException: PL00100: Signing Process Failure:
Caused by: javax.xml.crypto.MarshalException: It is forbidden to use algorithm ahttp://www.w3.org/2000/09/xmldsig#rsa-sha1 when secure validation is enabled

If I look at the SAML log, I do see that the app is using rsa-sha1:
<ds:Signature xmlns:ds=“XML-Signature Syntax and Processing”>ds:SignedInfo<ds:CanonicalizationMethod Algorithm=“Exclusive XML Canonicalization Version 1.0”/><ds:SignatureMethod Algorithm=“XML-Signature Syntax and Processing”/><ds:Reference URI=“#a3f90f91hg27d3h04djj9aj6fic776e”>ds:Transforms<ds:Transform Algorithm=“XML-Signature Syntax and Processing”/><ds:Transform Algorithm=“Exclusive XML Canonicalization Version 1.0”/></ds:Transforms><ds:DigestMethod Algorithm=“XML-Signature Syntax and Processing”/>

Is there any way I can get keycloak v26 to work with this algorithim? I have set Signature algorithm to RSA_SHA1 inside the keycloak client. However, I still get the same error message. Or can I turn of secure validation as a first test and if so how?

Not helpful to the root failure, but I would not entertain the idea of accepting SHA1. It has been deprecated for years, since at least 2011, and there’s no reason any application still uses it.

Instead of attempting to update Java or any IDP into downgrading its enforcement, the application should be forced to upgrade to at least SHA2. The requirement is on the app side to meet security requirements, not on your IDP to downgrade to their level. Need to bring them up, not your stuff down.