SamlIdPInitiatedProfileHandlerController: signature verification useless ?

27 views

Skip to first unread message

antoine m

unread,

Aug 3, 2021, 12:10:48 PM8/3/21

to CAS Developer

Hi,

I have an error in IDP Initiated SSO (Unsolicited) when I override default SAML [metadata / keys] for a specific service.

https://apereo.github.io/cas/development/installation/Configuring-SAML2-DynamicMetadata.html#saml-services

2021-08-03 14:50:37,868 DEBUG [org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator] - <Signature cryptographic validation not successful>

org.opensaml.xmlsec.signature.support.SignatureException: Signature cryptographic validation not successful

at org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:79) ~[opensaml-xmlsec-impl-4.1.1.jar:?]

at org.opensaml.xmlsec.signature.support.SignatureValidator.validate(SignatureValidator.java:54) ~[opensaml-xmlsec-api-4.1.1.jar:?]

at org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:228) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

at org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(SamlObjectSignatureValidator.java:99) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

at org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(SamlObjectSignatureValidator.java:119) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifyAuthenticationContextSignature(AbstractSamlIdPProfileHandlerController.java:529) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifyAuthenticationContextSignature(AbstractSamlIdPProfileHandlerController.java:502) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:482) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

at org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.initiateAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:350) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

at org.apereo.cas.support.saml.web.idp.profile.SamlIdPInitiatedProfileHandlerController.handleIdPInitiatedSsoRequest(SamlIdPInitiatedProfileHandlerController.java:130) ~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]

The root cause is that CAS signs AuthnRequest with private key of the service metadata but verifies signature with global public key

https://github.com/apereo/cas/blob/master/support/cas-server-support-saml-idp-web/src/main/java/org/apereo/cas/support/saml/web/idp/profile/builders/enc/validate/SamlIdPObjectSignatureValidator.java#L48

More generaly i don't undesrstand why we need to verify the signature in IDP Initiated SSO because AuthnRequest is not a real AuthnRequest from SP but built by CAS itself (fake AuthnRequest).

I would like to create a PR ti simply skip signature verification in SamlIdPInitiatedProfileHandlerController (override verifyAuthenticationContextSignature()), but i would like to be sure i don't miss a use case with this mechanism.

Related signUnsolicitedAuthnRequest attribute in SAML Service is also related to this point.

regards,

Antoine

Reply all

Reply to author

Forward

0 new messages