Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16883

AM ignores AuthnRequestsSigned property during SSO

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 7.0.0, 6.5.3
    • 6.5.4, 7.1.0, 7.0.2
    • SAML
    • AM Sustaining Sprint 79
    • 2
    • No
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      After OPENAM-476, AM attempts to validate signatures in AuthnRequests regardless of what's specified in the configuration. If the according key does not exist in the metadata&keystore, SSO fails, forcing customers to import the keys regardless of their AM config, and exposing them to SSO failures whenever the certificates change.

      How to reproduce the issue

      1. Install vanilla 6.5.3 or 7.0
      2. Create and Install a Java Fedlet
      3. Do not configure signing & encryption (it's disabled by default)
      4. Send a signed AuthnRequest from the remote SP
      Expected behaviour
      The signature is ignored
      
      Current behaviour
      AM attempts to validate the signature regardless of signing settings
      

      Work around

      Enable signing validation

      Code analysis

      Commit 32d3cb832901adb40c5affad02df7c3a9626076d for OPENAM-476 seems to be the culprit.

       

        Attachments

          Issue Links

            Activity

              People

              joe.starling Joe Starling
              sergio.bettiol Sergio Bettiol
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: