You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I have configured my Cloudstack 4.22 to integrate with Keycloak 26.5.5 via Saml.
I have read #4519 and it seems to imply that Cloudstack supports both signing and encryption for the payload for Saml.
However, to get my Keycloak to work, I need to turn off encryption of the assertions. Else, I will get "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name." which I think is because Cloudstack is not able to decrypt the payload from Keycloak. I am using the Key that is provided from the getSPMetadata for both the signing and encryption in Keycloak.
For the signing, there is a Global configuration named "saml2.check.signature". However, even with this turned on, I can still sign in using Saml when "Client signature required" setting is turned OFF in Keycloak. So I am not sure if the Cloudstack "saml2.check.signature" settings is actually enforcing signature checking requirement.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, I have configured my Cloudstack 4.22 to integrate with Keycloak 26.5.5 via Saml.
I have read #4519 and it seems to imply that Cloudstack supports both signing and encryption for the payload for Saml.
However, to get my Keycloak to work, I need to turn off encryption of the assertions. Else, I will get "Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name." which I think is because Cloudstack is not able to decrypt the payload from Keycloak. I am using the Key that is provided from the getSPMetadata for both the signing and encryption in Keycloak.
For the signing, there is a Global configuration named "saml2.check.signature". However, even with this turned on, I can still sign in using Saml when "Client signature required" setting is turned OFF in Keycloak. So I am not sure if the Cloudstack "saml2.check.signature" settings is actually enforcing signature checking requirement.
Beta Was this translation helpful? Give feedback.
All reactions