How to have a SAML request/response signed using Spring Security SAML extension

Question

I was able to have my application act as a SP with the IDP SSOCIRCLE using the Spring Security SAML extension. My customer has the following requirements:

1. Have the assertion signed: The assertion sent from the IDP is signed and it is working fine.

2. Have the request/response signed: When using SSO Circle to generate the metadata file. I selected the option AuthnRequestsSigned to true. I uploaded my SP metadata to the SSO Circle IDP. The SP metadata had the following values as true: AuthnRequestsSigned & WantAssertionsSigned. When running the application neither my request nor the response I get are signed.

I am having issues to have the second requirement done. I am new to SAML and to Security in general. What am I missing here?

UPDATE

After taking into consideration Vladimir's comments. I changed my binding to HTTP-Post, so now I am sending the SAML Request with the signature shown. I was able to send the request signed using my private key(not the one provided by the sample project) by doing the following:

1. Create a keystore, CSR, and a public key certificate using the keygen tool.
2. Update the Digital Signature section in my SP metadata file to have the new certificate
3. Remove the old SP metadata file from IDP SSOCIRCLE and add the new SP metadata file
4. Change spring configurations to have the JKSKeyManager to use the new keystore I created with the new alias and password.

What I need to do now is to have the IDP(SSOCIRCLE) send the response where a. The response is signed b. The assertion is signed

How can that be achieved? what changes do I need to do to handle that, given that the signing of the response should be different than the signing of the assertion. Thanks.

Answer 1

TLDR: HTTP Redirect Binding requires that the old response-level signature (not the assertion level signature/s) is stripped out and a NEW signature is added to the URL instead.

Strip out old response-level signature

HTTP Redirect Binding (saml-bindings-2.0-os, lines 520-752) requires that any <ds:Signature> element present on the SAML message itself is removed before sending of the message:

Quote from saml-bindings-2.0-os, lines 578-582:

Any signature on the SAML protocol message, including the <ds:Signature> XML element itself, MUST be removed. Note that if the content of the message includes another signature, such as a signed SAML assertion, this embedded signature is not removed. However, the length of such a message after encoding essentially precludes using this mechanism. Thus SAML protocol messages that contain signed content SHOULD NOT be encoded using this mechanism.

Add new URL signature

At the same time HTTP Redirect Binding requires that a NEW digital signature is attached to the GET URL as parameter Signature.

Quote from saml-bindings-2.0-os, lines 608-609:

The signature value MUST be encoded using the base64 encoding (see RFC 2045 [RFC2045]) with any whitespace removed, and included as a query string parameter named Signature.

This means that with HTTP-Redirect you cannot send message with Signature on message level, instead the signature is added to the URL. Therefore the whole message sent from Spring SAML to IDP is signed (check it from the data sent from the SP).

There is no standard way to force IDP to send the Response message signed on message level in addition to including signature in the assertion. In case you're using SSL/TLS the authenticity and non-repudiation of the message (characteristics of digital signatures) is provided by transport layer.