+
Skip to content

Allow configure encryption details for SAML clients #40937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow configure encryption details for SAML clients #40937

wants to merge 1 commit into from
+695 −45

Conversation

rmartinc
Copy link
Contributor

@rmartinc rmartinc commented Jul 4, 2025

Closes #40933

Draft PR to add configuration details to SAML assertion encryption. The main idea is that all the details (all the algorithms) can be configured. missing points:

  • IMHO we should use AES_GCM_256 instead of AES_128 at least. Change other defaults? What happens to upgrades? The best approach would be configure very secure by default and allow to lower the configuration. But the problem is that right now we have to deal with existing clients. We can create an upgrading task to configure all clients like now (insert select over the attributes for example).
  • Add a upgrading/release note accordingly (upgrading or just release if we don't change defaults).

The current draft does not change any default. It just allows to configured the options individually per client.

@rmartinc rmartinc requested review from a team as code owners July 4, 2025 15:14
@rmartinc
Copy link
Contributor Author

rmartinc commented Jul 7, 2025

One more thing, now I see that there is a Signature and Encryption section in the General Settings tab. I can move the UI to that part. They will appear only if the Encrypt assertions is enabled in the Keys tab.

@mposolda mposolda self-assigned this Jul 8, 2025
@rmartinc rmartinc marked this pull request as draft July 8, 2025 14:38
@jonkoops
Copy link
Contributor

jonkoops commented Jul 8, 2025

Sounds like a better place to move it to, go for it :)

@rmartinc
Allow configure encryption details for SAML clients
7581655 
Closes keycloak#40933

Signed-off-by: rmartinc <rmartinc@redhat.com>
@rmartinc
Copy link
Contributor Author

I have modified the default encryption values. Now by default the encryption uses aes_256_gcm, rsa-oaep, sha-256 and mgf1sha256 when nothing is configured. It's the migration task the one in charge to set the previous old configuration to existing clients to not use the new default values and maintain backwards compatibility. I have added a note in the migration guide but maybe it's better to add the note at the release notes now. Moving out of draft for the review.

@rmartinc rmartinc marked this pull request as ready for review July 14, 2025 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mposolda mposolda

Labels
team/cloud-native team/core-clients team/core-iam team/ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow configure encryption details for SAML clients
3 participants
@rmartinc @jonkoops @mposolda
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载