Skip to content

allows the signature to be embedded outside the assertion element #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bcoe wants to merge 1 commit into from
Closed

allows the signature to be embedded outside the assertion element #48

bcoe wants to merge 1 commit into from

Conversation

@bcoe
Copy link

@bcoe bcoe commented Dec 12, 2015

Testing against a major SAML provider, I noticed that it's valid for the signature to live outside of the assertion.

This change, along with:

#47

and

https://github.com/yaronn/xml-crypto/pull/82/files

Adds support to saml2 for one of the bigger SAML providers out there -- we will need to also bump xml-crypto once 82 lands.

@jefff
Copy link
Contributor

jefff commented Dec 18, 2015

Thanks for the PR! Sorry about the delay in response. I noticed something strange in the test case here which lead to noticing a bug in how we verify signatures. I fixed that on master which unfortunately means you test case is no longer passing. I think the change is otherwise good so if you're able to fix the test we can get this merged.

@bcoe
Copy link
Author

bcoe commented Dec 18, 2015

@jefff I actually found another issue testing today; I think even though there are multiple assertions each with a signature only the hash from the first assertion is checked -- I didn't dig too much, but I noticed saml20 simply takes the first signature if there are more than one; I wonder what the right call is?

@jefff
Copy link
Contributor

jefff commented Dec 18, 2015

Do you have an example of that case? I think we generally reject multiple assertions due to the complexity of combining and verifying them correctly (and also because none of the IdP's we tested with ever did that). I think the only correct way to handle that would be to verify each assertion is individually signed, and then return a result that represents a combination of all the individual assertions which needless to say would be difficult to get exactly right.

@bcoe
Copy link
Author

bcoe commented Dec 18, 2015

@jefff this is the payload (from a major SAML IDP I can't name) that is giving all kinds of trouble:

https://gist.github.com/bcoe/4bfc7d35be1f6cde048b

It also has trouble with xml-crypto/xml-dom.

@jefff
Copy link
Contributor

jefff commented Dec 18, 2015

Ah, OK. In that example there is only one Assertion but two signatures; one that signs the Response and one that signs the contained Assertion. I think the library could be modified to accept the first one that contains the assertion, which in this case would be either of them. It's also likely that your IdP may have an option to turn one of the two off (I'd recommend turning off the one signing the Response if you have the choice).

@chad3814 chad3814 mentioned this pull request Mar 9, 2016
Closed
chad3814 added a commit to chad3814/saml2 that referenced this pull request Mar 10, 2016
@chad3814
allow signature external to the assertion
b0f79ee 
- this should fix Clever#57 and Clever#48; see them for comments
@chad3814 chad3814 mentioned this pull request Mar 10, 2016
Merged
@cozmo
Copy link
Contributor

cozmo commented Aug 30, 2016

This PR has been quiet for quite some time - @bcoe where do we stand on this? Is this still relevant/needed?

@cozmo cozmo mentioned this pull request Aug 30, 2016
Closed
@mohit
Copy link

mohit commented Jan 16, 2017

Closing due to inactivity from author. @bcoe please comment if you want to repopen.

@mohit mohit closed this Jan 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bcoe @jefff @cozmo @mohit