Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-475

SAML2 HTTPPOST Profil: Assertion not signed when response is signed

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Snapshot9.5.1
    • Fix Version/s: 10.0.0-EA
    • Component/s: SAML
    • Labels:
      None
    • Environment:
      Any

      Description

      Using HTTP POST profile with SAML2 I want to sign the response and the containing assertion. Reason for that is that the assertion itself is used outside the response later on incl. it's signature.

      Currently this is not possible. If the response is signed, the assertion is not.

      When I enable "response signing" and "assertion signing" in the IdP configuration, only the response is signed. Signature inheritance is indeed outlined to some extend in SAML 2.0 (5.3 Signature Inheritance), but it doesn't stipulate to sign only one or the other. The user should be able to pick.

      I suggest the following fix. In function sendResponse of IDPSSOUtil, comment out the not signing of the assertion:

      //if (signResponse)

      { // signAssertion = false; //}

      //

      It's a simple fix, where assertions are always signed with HTTP POST and the response only if selected. Would maybe be better to ensure that at least one of the elements is signed based on the user settings in the console and if not, sign the assertion.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                joachimandres joachimandres
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: