Reputation: 1240
Spring Security SAML: Accept only signed SAML response messages from IDP
We are using Spring Security SAML (v1.0.3) in our Java application for SAML SSO with IDP.
Requirement: Accept only signed SAML response messages from IDP, if the SAML response is not signed, then throw an exception.
Actual Result: Even if the signing information is completely missing from the SAML Login response message, it is accepted and Spring Security SAML library doesn't throw an exception.
Observations:
- If wrong signing information is present in the SAML Login response message, then it throws an exception which is correct.
- For Logout messages, we have properties
requireLogoutRequestSignedandrequireLogoutResponseSignedin the extended metadata generator that controls whether logout request and response shall be signed or not. - For Login Response message, we have a property
wantAssertionSignedthat indicates whether SP requires signed assertions or not.
Questions:
- Q1: Is there any property or an approach in
Spring Security SAMLframework that enables SP to only accept signed Login response (at the message level) from IDP? - Q2: Per my understanding, the signing of the SAML Response Message and Assertion are two different things. Is it correct? The property
wantAssertionSignedonly enables signed assertions and not the message.
Upvotes: 2
Views: 2112
Answers (1)
Reputation: 31
- Re. Q1: Enforce signed response message: I could not find such a configuration possibility. Instead I had to add custom implementation. I will elaborate below.
- Re. Q2: Signed response messages vs. signed assertion(s): It is correct, those are two different signable things.
Details for Q1: Enforce signed response message
First of all, make sure proper binding is used that allows for signature response.
For example, HTTP Redirect Binding should not have a signature in the response itself, if I understood correctly what is written in saml-bindings-2.0-os.pdf, lines 578-582.
- Any signature on the SAML protocol message, including the
<ds:Signature>XML element itself, MUST be removed. Note that if the content of the message includes another signature, such as a signed SAML assertion, this embedded signature is not removed. However, the length of such a message after encoding essentially precludes using this mechanism. Thus SAML protocol messages that contain signed content SHOULD NOT be encoded using this mechanism."
As for the HTTP Post binding, which was used in a project I was working on recently, in the same (as above) document, saml-bindings-2.0-os.pdf, lines 839-842 it states:
The presence of the user agent intermediary means that the requester and responder cannot rely on the transport layer for end-end authentication, integrity or confidentiality protection and must authenticate the messages received instead. SAML provides for a signature on protocol messages for authentication and integrity for such cases. Form-encoded messages MAY be signed before the base64 encoding is applied.
Based on this, we made the decision to enforce that all response messages, processed by the HTTP Post Binding, MUST be signed. We left the other bindings intact.
To achieve this, I've subclassed the existing Spring's HTTPPostBinding. I've then instructed Spring provided SAMLProcessorImpl to use this binding instead of its default one.
The default implementation of HTTPPostBinding.java includes this:
securityPolicy.add(new SAML2HTTPPostSimpleSignRule(engine, parserPool, engine.getKeyInfoResolver()));
securityPolicy.add(new SAMLProtocolMessageXMLSignatureSecurityPolicyRule(engine));
But my custom binding implementation adds an additional opensaml's SecurityPolicyRule. As for that rule, pretty simple implementation, enforces all SAML messages to be signed. Signature verification is left to the already existing opensaml's SAMLProtocolMessageXMLSignatureSecurityPolicyRule. This one is by default included in the default HTTPPostBinding (see code snippet above), and, also by default, allows for signature to be MISSING. This could be a good starting point to look at if you decide to go with your own security policy rule implementation.
Regarding signed assertions:
As for assertion signatures, I think there is an issue with default implementation as well but that might be out of scope of your questions.
Hope this helps, cheers.
Upvotes: 3
Related Questions
- How to have a SAML request/response signed using Spring Security SAML extension
- Howto disable signature verification in Spring Security SAML 5.6.1?
- Validate IDP initiated SAML2.0 Response
- SAML2 - Response doesn't have any valid assertion which would pass subject validation
- JAVA service provider SAML2 request - disable digital signature
- Spring-SAML : Incoming SAML message is invalid
- Processing SAML response with Spring SAML
- Spring Security SAML IdP Metadata Certificate and Signature
- SAML AuthnResponse not being decoded after successful authentication
- SAMLException: NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration