Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14309

Import of SAML2 Metadata not signed on EntityDescriptor fails.



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 13.5.1, 13.5.2, 14.0.0, 14.1.1, 5.5.1, 6.0.0,,,,,, 6.5.0,,
    • None
    • SAML
    • Rank:


      Bug description

      SAML2 metadata that is signed at various element is not working. IN fact if the signing does not sign the metadata at the <EntityDescriptor> level, the import of the signed metadata fails.

      You can use the following to create a sample test

      The difference this one is that it signs the metadata at the SPSSODescriptor/IDPSSODescriptor level and not at the top level which some SAML2 (and also AM) assumes.


      From specs: http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

      Various elements in a metadata instance can be digitally signed (as indicated by the element's inclusion of
      a <ds:Signature> element), with the following benefits:
      • Metadata integrity
      • Authentication of the metadata by a trusted signer
      A digital signature is not always required, for example if the relying party obtains the information directly
      from the publishing entity directly (with no intermediaries) through a secure channel, with the entity having
      authenticated to the relying party by some means other than a digital signature


      At this moment the following error happens (as the ID attributes does not exists)

      org.w3c.dom.DOMException: NOT_FOUND_ERR: An attempt is made to reference a node in a context where it does not exist.
          at com.sun.org.apache.xerces.internal.dom.ElementImpl.setIdAttribute(ElementImpl.java:975)
          at com.sun.identity.saml2.meta.SAML2MetaSecurityUtils.verifySignature(SAML2MetaSecurityUtils.java:257)

      even if the EntityDescriptor we add ID attribute, it may still fail to validate when the Signed Elements is checked

      com.sun.identity.cli.CLIException: Unable to verify signature under element "SPSSODescriptor".
      The Reference for URI #s73728365a2a74cc7b44afc039344c28a80bedbcf has no XMLSignatureInput

      How to reproduce the issue

      1. Generate a unsigned SAML2
      2. Sign it using http://xacmlinfo.org/2014/04/10/how-to-saml-generating-signature-for-saml-metadata/ (use the AM keystore so that we do not need to bother AM keystore later)
      3. Try to import the signed metadata (to see if it works)
      4. Observe import issues
      Expected behaviour
      Payload can import if it verifies fine
      Current behaviour
      Unable to import or verify XML 

      Work around

      Remove the Signature block from the metadata

      Code analysis

      • XML validation for ID not working for other attributes.




            Unassigned Unassigned
            chee-weng.chea C-Weng C
            0 Vote for this issue
            2 Start watching this issue