Keycloak SAML Broker Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Keycloak's SAML broker functionality. When a SAML client is disabled but still set as an Identity Provider (IdP)-initiated broker landing target, it can inadvertently allow users to log in and establish a Single Sign-On (SSO) session. This flaw enables unauthorized access to other active clients without requiring re-authentication, thereby circumventing established security measures.

Impact

Exploiting this vulnerability allows a user to bypass authentication controls, gaining access to resources or applications linked to other enabled clients without the need for re-authentication.

Reproduction

To reproduce this vulnerability, configure a SAML client as disabled in the Keycloak broker realm. Then, set it as an IdP-initiated broker landing target. When a user who exists in the external Identity Provider attempts to log in, the disabled client will still process the authentication, creating a valid Keycloak session that can access other enabled clients without re-authentication.

Remediation

To address this vulnerability, ensure that disabled SAML clients are not set as IdP-initiated broker landing targets. Review and update Keycloak realm configurations to remove any such associations with disabled clients.