Search code examples
encryptionkeycloaksamlaes-gcm

Configure Keycloak to Encrypt SAML Assertions with AES-128-GCM Instead of AES-128-CBC

I am working on a project where Single Sign-On (SSO) is implemented via SAML. I am using Keycloak 26.0.6 locally to simulate the SSO. As part of the setup, I am trying to configure Keycloak to encrypt SAML assertions using AES-128-GCM instead of the default AES-128-CBC.

Below is a snippet of the current SAML response obtained through SAML-Tracer:

<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
        Id="_36c8dd9b03ad45e7acc1f938f69c148d"
        Type="http://www.w3.org/2001/04/xmlenc#Element">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
       ....
    </xenc:EncryptedData>
</saml2:EncryptedAssertion>

I need to encrypt the SAML assertion using AES-128-GCM instead of the default AES-128-CBC to verify if the Service Provider (My Application) can successfully decrypt the SAML assertion. However, I couldn’t find any way to configure Keycloak to achieve this. I am using the master realm. In the Realm Settings, I tried adding a new AES key using the "Add Provider" button, hoping to select the AES-128-GCM algorithm, but without success.

enter image description here

Any idea?

Solution

  • AES-128-GCM is currently (as of Dec. 2024) unsupported by Keycloak for SAML encryption, per Keycloak#14464:

    ... our SAML encryption always uses "http://www.w3.org/2001/04/xmlenc#aes128-cbc" as the encryption for encrypting SAML assertions etc. We don't even have any way to override it in the configuration. We do not need to limit ourselves to the original XML encryption spec. Keycloak uses Apache Santuario which supports also GCM (and other) algorithms since Santuario 1.5.0 (we're on 2.2.3) via BouncyCastle. We do not use those at this moment, but technically it should be relatively straightforward...

    Given that there is a linked discussion further down that appears to be closed, it would appear the Keycloak has no imminent intention to support GCM over CBC.

    If you are looking for a quick way to test your SP with an Identity Provider that supports GCM, I would look to something like SimpleSAMLphp which is very easy to deploy and supports GCM.