Help Wanted: SAML Checks

[malexmave]

Keycloak supports both OIDC and SAML Clients. We have reasonably good coverage of OIDC, but absolutely no checks for SAML clients. The same is true for identity providers: we currently do not have any checks that cover SAML IDPs when using identity federation.

If you know about misconfigurations in Keycloak SAML Clients (so, in the Keycloak configuration, not the implementation of the app that is using this client, which we can’t see from Keycloak), we would be extremely grateful for your input. Please describe:

• what is the misconfiguration?
• how does the client have to be configured to be vulnerable?
• what is the effect of this?

The same is true for SAML IDP configs.

We‘ll be happy to do the work of implementing the checks ourselves, but some starting points would be greatly appreciated.

[malexmave]

• SAML user attribute mappers
• SAML Redirect URIs

[foliengriller]

We have a lot of SAML-IDPs configured. My suggestion would be to start with "certificate validation". See https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html - The digital signature on the SAML assertion must first be validated and then the assertion contents are processed in order to create a local logon security context for the user at the SP.

[ahus1]

Here some ideas

IDP:

• validateSignature for identity providers should be set to true. In the UI it is named "Validate Signatures". If you don't validate the signature, you might be receiving data from someone else.
• metadataDescriptorUrl if set should be a https:// URL to avoid receiving data that has been tampered with.

Client:

• saml.client.signature for clients - the property should be set to true. In the UI it is named "Client signature required". If not enabled, you might be receiving data from someone else.
• saml.metadataDescriptorUrl if set should be a https:// to avoid receiving data that has been tampered with.

[bad-antics]

Great initiative on SAML security checks! Here are key areas to validate:

Signature Validation:

• Verify XML signatures are required and properly validated
• Check for signature wrapping vulnerabilities
• Ensure SignedInfo canonicalization is correct

Assertion Validation:

• Validate Audience restriction
• Check NotBefore and NotOnOrAfter timestamps
• Verify SubjectConfirmation conditions

XML Security:

• Disable external entity processing (XXE prevention)
• Validate certificate chains properly
• Check for comment injection in assertions

Common SAML Vulnerabilities to Test:

• XML Signature Wrapping (XSW)
• Token Recipient Confusion
• Assertion Replay attacks
• Unsigned/unencrypted assertions

Tools for testing: SAMLReplay, SAML Raider (Burp extension), SAMLExtractor

Happy to contribute SAML checks if you have a contribution guide!

[bad-antics]

Great initiative on SAML security checks! Key areas to validate:

Signature Validation: Verify XML signatures required and properly validated, check for signature wrapping vulnerabilities

Assertion Validation: Validate Audience restriction, check NotBefore/NotOnOrAfter timestamps, verify SubjectConfirmation

XML Security: Disable XXE, validate certificate chains, check for comment injection

Common SAML Vulnerabilities: XML Signature Wrapping (XSW), Token Recipient Confusion, Assertion Replay

Tools: SAMLReplay, SAML Raider (Burp), SAMLExtractor

Happy to contribute SAML checks if you have a contribution guide!

[ahus1]

@bad-antics - this project is about validating Keycloak configurations, and things "Disable XXE" is not something that you would configure in Keycloak, which is just the standard expected behavior.

There is already a related PR where you can join in and participate in the review.