Currently spring saml seems to check signature first before decrypting the assertion while idp being used is signing the assertion first resulting in spring saml failing to verify signature. Is there a way order of signature verification and decryption can be changed?
Boneh in https://class.coursera.org/crypto-preview/wiki/LectureSlidesPublicCourse does not recommend such a switching. It's more vulnerable.
Related
I am trying to integrate saml with java spring boot application. I integerated it with okta, and works fine. But when i change the config to point to actual adfs(not Okta), i get this error on adfs "MSIS0037: No signature verification certificate found for issuer 'https://xxx.mydomain.com/saml/metadata'.
I checked my SAML auth request using SAML tracer and in that issuer is https://xxx.mydomain.com/saml/metadata, but i guess it should be https://xxx.mydomain.com and i am guessing that is why i get this error. I have installed an internally generated certificate on the server, and put the public key in the metadata i have provided to the adfs team which they have inserted successfully. Can anyone guide me to how to change issuer in my saml request?
You can change the issuer in the SAML request: <saml:Issuer> https://xxx.mydomain.com</saml:Issuer>
This guide has some good samples for doing this with ADFS and spring boot: https://myshittycode.com/2016/02/18/spring-security-saml-configuring-binding-for-sending-saml-messages-to-idp/
I am relatively new to SSO. There are two requirements (see title) I'd like to check against my Spring Framework environment but I am not sure how to get the answers. It seems like the docs also don't provide a direct answer to this.
Any input would be appreciated on how to determine what is supported or not in this SAML implementation.
Yes, Spring SAML is able to receive SAML messages encrypted using AES-256 (http://www.w3.org/2001/04/xmlenc#aes256-cbc) by default. But it is not possible to configure Spring SAML to encrypt messages sent to IDP.
I am new to SSO and Sping SAML extension.
i have implemented Spring SAML extension into our application where our application acts as a SP. i have following question related to our requirement.
1) I would like to understand the use of samlKeystore.jks in Spring saml extension
2) I would like to know if we can skip the use of samlKeystore.jks in any manner.
Basically the reason for this the client can give us information on Just the meta data
and nothing apart from that.if we are using samlKeystore.jks do we need anything else
If you don't need to sign SAML protocol message or encrypt SAML assertions you don't need the keystore. However some SAML Bindings mandates or at least highly recommend to sign so that the protocol messages are not tampered with at the user agent.
The keystore is used for storage of private certificates used to digitally sign messages created by the Service Provider and decrypting of messages sent from Identity Providers.
Spring SAML currently requires you to have at least a default key available, even in case it won't get used.
I am using Spring SAML and have a service provider configured that accepts encrypted assertions. Is there a way to configure the SP so that it rejects assertions that are not encrypted?
No you can't configure Spring SAML to enforce this rule. The easiest way to get it in place is to extend WebSSOProfileConsumerImpl, override e.g. method processAuthenticationResponse and throw org.opensaml.xml.security.SecurityException in case the assertion isn't encrypted.
I've implemented SSO using Spring SAML and everything is working fine for an interaction with idp.ssocircle.com.
Now I am trying to use another identity provider. I have downloaded the metadata of the IdP and have linked it in my spring XML config. I have also uploaded the metadata of the service provider to the iDP and have linked it in the spring XML config.
I am redirected to the login page of my IdP and can successful enter my credentials. But an error like that appears "Signature did not validate against the credential's key".
There is another stackoverflow post which describes a similiar problem, see "HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid" with Salesforce as IdP for implementating SSO
But I have problems to follow the solution, because my SAML response captured by Fiddler does not contain an element like "X509Certificate".
Edit(!):But I have to say that the metadata of my identity provider contains a element like "ds:X509Certificate" in "ds:keyInfo" with some content. But there also another empty "ds:keyInfo"-Element with an empty "ds:X509Data"-Element.
Is there something wrong with the configuration of the identity provider?
Can anybody tell my what is happening here?
Complete log file: https://drive.google.com/file/d/0B3RlRCEjz-cvZGQ5aldzaUc0blE/edit?usp=sharing
Thanks in advance,
Andi
It seems that the Response message is signed using a different certificate than what is included in the IdP metadata. You should ask your IdP to tell you what certificates they use for their signatures and add them to their metadata file. Based on what you say it could also be that the metadata file is simply incomplete or corrupted.
The other option is to add the certificate they provide you to the samlKeystore.jks (and remember the alias). Then define the alias as signingKey on the ExtendedMetadata of your IdP's metadata definition in Spring configuration. You can find details on using the ExtendedMetadata in the Spring SAML manual.
The fact that the key is not included in the Response message is not wrong, Spring SAML knows which keys to use from the metadata and ExtendedMetadata configuration.