Possible cause of "Invalid query param signature error"?

duhmojo · February 27, 2020, 9:10pm

Hi.

I’m struggling to figure out what the cause of “Invalid requester” when being directed to my Realm Client SAMLRequest end point. My browser will show a Keycloak page with “Invalid requester” and the Keycloak logs will show this:

19:38:43,405 ERROR [org.keycloak.protocol.saml.SamlService] (default task-6) request validation failed: org.keycloak.common.VerificationException: org.keycloak.common.VerificationException: Invalid query param signature
19:38:43,405 WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=CSDPAC, clientId=null, userId=null, ipAddress=172.23.0.1, error=invalid_signature

Does anybody have a pointer on what the validation error could be? The Mellon redirected browser URL looks like this:

http://proxy.test.demo/auth/realms/CSDPAC/protocol/saml?SAMLRequest=hZJfa8IwF...%3D&RelayState=http%3A%2F%2Fproxy.test.demo%2Fcamunda&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=E6B7R...D%3D

My Realm Client signature algorithm is RSA_SHA256 (the default) and I believe that’s what’s specified in the redirect URL.

Thanks in advance.

duhmojo · March 3, 2020, 1:30am

Keycloak seems to be unhappy with the Mellon SAML Signature Request Key. It is able to located a valid public key for validation, but then when it tried to validate the Signature using the identified SigAlg (https://www.w3.org/2001/04/) it failed with “Invalid query param signature”:

github.com

keycloak/keycloak/blob/d39dfd86888d292ebdafd6b5b98be2436b64846c/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java#L165




    try {
        byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);


        String decodedAlgorithm = RedirectBindingUtil.urlDecode(encodedParams.getFirst(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY));
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);
        Signature validator = signatureAlgorithm.createSignature(); // todo plugin signature alg
        Key key = locator.getKey(keyId);
        if (key instanceof PublicKey) {
            validator.initVerify((PublicKey) key);
            validator.update(rawQuery.getBytes("UTF-8"));
        } else {
            throw new VerificationException("Invalid key locator for signature verification");
        }
        if (!validator.verify(decodedSignature)) {
            throw new VerificationException("Invalid query param signature");
        }
    } catch (Exception e) {
        throw new VerificationException(e);
    }
}

Do you have any tips? Does this exception means that the Mellon “Signature” parameter in the redirect URL can’t be validated by the public key imported/retrieved, or that Mellon isn’t generating a compatible Signature (or original key)?

cv37 · May 4, 2020, 3:52pm

Hi,

Have you ever figured out what’s causing the issue? I ran into this exact same issue when signing my request.

Thanks,
cv37

nflorentin · March 27, 2024, 12:35pm

I had the same error and investigated the issues during hours, trying every possible parameter.

I never got the client signature working on a ream created by me.

I tried to create another client on master realm, with the exact same parameters (basically default parameters) and it worked.

I don’t understand why it works on master realm and does not on custom realm.

Topic		Replies	Views
Cloudflare SAML error: invalid signature Configuring the server identity-brokering , saml	1	74	July 4, 2024
Keycloak v22: invalid_signature with Elster's NEZO Interface (mein-unternehmenskonto.de) Getting advice authentication , saml	1	750	October 23, 2023
Setup another Keycloak client as SAML identity provider gives "invalid signature" Securing applications saml	1	3511	November 22, 2022
SLO SP-Initiated : error=invalid_signature Getting advice saml	1	6326	April 16, 2020
Invalid Requester with Slack SAML provider Configuring the server authentication , ldap , saml	0	1629	February 21, 2023

Possible cause of "Invalid query param signature error"?

Related Topics