Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WantsAssertionsSigned Property Not Validated By SP #519

Open
williwlwilliwll opened this issue Jun 30, 2023 · 2 comments
Open

WantsAssertionsSigned Property Not Validated By SP #519

williwlwilliwll opened this issue Jun 30, 2023 · 2 comments

Comments

@williwlwilliwll
Copy link

williwlwilliwll commented Jun 30, 2023
edited

Whilst I'm testing my project I have noticed that the SP doesn't check if the IDP has signed the assertion in the SAMLResponse as per the SP's metadata.

Can you confirm if this is indeed the case, or have I made a mistake somewhere?

Thanks ❤️

Excerpt of Test

            return test.createSAMLRequest().then(({id, context}) => {
                return test.parseSAMLRequest(id, context);

            }).then((parsedSAMLRequest) => {
                return test.createSAMLResponse(parsedSAMLRequest);

            }).then(({ id, context: SAMLResponse }) => {
                // For the purpose of test, change the SP Metadata to require assertion signing;
                test.sp = ServiceProvider({
                    metadata: fs.readFileSync(`${__dirname}/signing-encryption/SAMLResponse/invalid_idp-doesnt-sign-assertions/sp_metadata-wantsigned.xml`),
                });
                return test.parseSAMLResponse(SAMLResponse);

            }).then((parsedSAMLResponse) => {
                const xmlRegex = /<saml:Assertion.*<ds:Signature xmlns:ds.*<\/ds:Signature>.*<\/saml:Assertion>/s;
                return expect(xmlRegex.test(parsedSAMLResponse.samlContent)).toBeFalsy();

            });

SP metadata at beginning of flow

<EntityDescriptor
 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 entityID="http://localhost:3000/sso/metadata">
    <!-- SP doesn't expect IDP to sign assertions -->
    <SPSSODescriptor
    AuthnRequestsSigned="true"
    WantAssertionsSigned="false"
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">

SP metadata at end of flow

<EntityDescriptor
 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 entityID="http://localhost:3000/sso/metadata">
    <!-- SP expects IDP to sign assertions -->
    <SPSSODescriptor
    AuthnRequestsSigned="true"
    WantAssertionsSigned="true"
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@simoneiaconis
Copy link

I have the same problem, have you found any solution?

@williwlwilliwll
Copy link
Author

@simoneiaconis Afraid not! I was only using the package's SP functionality for testing and in the end I had to give up on that particular test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simoneiaconis @williwlwilliwll