HTTP-Redirect: Missing Signature and SigAlg parameters in SAMLRequest Url (AuthNRequest)

[seriouszyx]

I'm using the latest gosaml2 and noticed that my identity provider (Keycloak) does not accept the signed AuthNRequest.

The reason is:

• If a POST binding is used the signature is embedded in the XML.
• If a Redirect binding is used the signature is part of the URL query parameters. (e.g. https://idp/?SAMLRequest=...&RelayState=...&SigAlg=...&Signature=...)

But it seems that the Redirect binding authUrl does not have SigAlg and Signature parameters, even though setting SignAuthnRequests to true and SPKeyStore to my own Keystore.

reference: https://github.com/spring-projects/spring-security/issues/7711

[romaindutartre]

Hi, I've had the exact same issue and I've been able to generate the correct signature using this code:

if sp.SignAuthnRequests && sp.IdentityProviderSSOBinding == saml2.BindingHttpRedirect {
    var doc *etree.Document
    doc, err = sp.BuildAuthRequestDocument()

    if err != nil {
    return
    }

    url, err = sp.BuildAuthURLRedirect(callbackURL, doc)
} else {
    url, err = sp.BuildAuthURL(callbackURL)
}

@russellhaering Is this the intented way of using the library ? I thought that BuildAuthURL would have used something like this but it doesn't seem to be the case.

Regards, Romain