I am using Keycloak 5.0.0 as an identity broker. I have connected it to G Suite as a SAML app. I have connected other SAML apps to G Suite so I know the drill, and I imported the G Suite Metadata XML into SAML, so I am confident that the X.509 keys are correct, but for some reason, if I select "Validate Signature" in Keycloak, the validation fails. The log says
ERROR [org.keycloak.broker.saml.SAMLEndpoint] validation failed
WARN [org.keycloak.events] type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.10.2.1, error=invalid_signature
If I turn off "Signed Response" in G Suite or turn off "Want Assertions Signed" or "Validate Signature" in Keycloak then everything works, but I expect that is because Keycloak does not try to validate a signature in these situations (which of course is another bug when "Want Assertions Signed" and "Validate Signature" are on but "Signed Response" is off).
How do I fix this?
Turns out I was wrong about the meaning of "Signed Response". According to documentation from G Suite about setting up specific supported SAML apps, but not found in the "Set up your own custom SAML application" documentation, "Signed Response" does not mean what I thought it meant.
When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
I verified (by changing the X.509 key and observing the results) that with "Signed Response" unchecked and "Want Assertions Signed" and "Validate Signature" turned on, Keycloak is validating that the assertions are signed. So that is the correct, valid, and secure configuration.