Keycloak validates that plaintext `<Assertion>` elements are signed when the response root is not signed, but it does not apply the same binding requirement to `<EncryptedAssertion>`. The saml broker endpoint then decrypts and processes the first assertion choice, which allows an attacker to inject an encrypted assertion for an arbitrary principal alongside a valid signed assertion for themselves. So the response can be crafted in the following way:

Remove the signature for the full response if present.
Get the public key of the realm to encrypt the new assertion.
Put this encrypted assertion first.
Maintain the second assertion that should be signed and valid.
This way Keycloak method validates the signature in the second assertion but selects the first one which is just encrypted and not signed. We are missing to check that the selected signature should be signed when the full message is not.

Additional notes
The attack is valid for the SAML adapter and the SAML Identity provider. The issue needs that the original message is signed at assertion level.

Requirements to exploit
The attacker needs a valid saml assertion signed in the assertion that should be stolen first.