Your software
My Mautic version is: 5.2.2
My PHP version is: 8.3
My Database type and version is: MariaDB 10.11.11
Your problem
My problem is:
I’m trying to configure Mautic for single sign on via KeyCloak IdP with SAML assertions. After hitting the SAML login endpoint I get redirected to the KeyCloak login page. But KeyCloak just tells me that there was an error.
Examining the KeyCloak logs reveals that Mautic is using sha1 as signature algorithm which is rejected by KeyCloak to due to security reasons.
The relevant part of the logs below is:
It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#sha1 when secure validation is enabled.
These errors are showing in the log:
sso_keycloak.1.zfbj7qirtjl5@bosmang | 2025-04-08 19:54:02,561 ERROR [org.keycloak.protocol.saml.SamlService] (executor-thread-38) request validation failed: org.keycloak.common.VerificationException: Error validating signature
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:100)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:82)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlService$PostBindingProtocol.verifySignature(SamlService.java:789)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:314)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlService$BindingProtocol.execute(SamlService.java:720)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:903)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlService$quarkusrestinvoker$postBinding_d17d6a945044c2735831620fab7b8c7dc5595ba1.invoke(Unknown Source)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:635)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:11)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:11)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at java.base/java.lang.Thread.run(Unknown Source)
sso_keycloak.1.zfbj7qirtjl5@bosmang | Caused by: org.keycloak.saml.common.exceptions.ProcessingException: javax.xml.crypto.dsig.XMLSignatureException: PL00100: Signing Process Failure:
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:177)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:96)
sso_keycloak.1.zfbj7qirtjl5@bosmang | ... 17 more
sso_keycloak.1.zfbj7qirtjl5@bosmang | Caused by: javax.xml.crypto.dsig.XMLSignatureException: PL00100: Signing Process Failure:
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.saml.common.DefaultPicketLinkLogger.signatureError(DefaultPicketLinkLogger.java:185)
sso_keycloak.1.zfbj7qirtjl5@bosmang | ... 19 more
sso_keycloak.1.zfbj7qirtjl5@bosmang | Caused by: javax.xml.crypto.MarshalException: It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#sha1 when secure validation is enabled
sso_keycloak.1.zfbj7qirtjl5@bosmang | at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMReference.<init>(Unknown Source)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMSignedInfo.<init>(Unknown Source)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.<init>(Unknown Source)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshal(Unknown Source)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignatureFactory.unmarshalXMLSignature(Unknown Source)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateUsingKeySelector(XMLSignatureUtil.java:554)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validateSingleNode(XMLSignatureUtil.java:523)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(XMLSignatureUtil.java:488)
sso_keycloak.1.zfbj7qirtjl5@bosmang | at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.validate(SAML2Signature.java:175)
sso_keycloak.1.zfbj7qirtjl5@bosmang | ... 18 more
How can I configure Mautic to use sha256 instead of sha1 for the signing the signature?