Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7055

Improved logic for POST binding Assertion/Response signature check

    Details

    • Sprint:
      AM Sustaining Sprint 13, AM Sustaining Sprint 14
    • Support Ticket IDs:

      Description

      Steps to reproduce - on OpenAM version12.0.2:

      1) Create a hosted IDP e.g idp.example.net and
      2) Create a hosted SP e.g sp.example.com - register remote IDP
      3) Register remote SP in same COT.
      4) Select Post Response Signed in remote SP configuration on IDP server
      On idp.example.net: Federation > Entity provider > sp.example.com (remote sp) > ensure "Post Response Signed:" is ticked.
      Save.
      5) Invoke spSSOInit with HTTP-POST binding e.g
      http://sp.example.com:9080/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=idp.example.net&metaAlias=/sp&binding=HTTP-POST

      Expected Outcome:
      SSO should succeed.

      Actual result:
      Sign on failed ( status 500 in browser)

      In logs

      ERROR: spAssertionConsumer.jsp: SSO failed.
      com.sun.identity.saml2.common.SAML2Exception: The signature on Assertion is not valid.
      	at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:590)
      	at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1050)
      	at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:255)
      	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
      	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
      

      If OpenAM SP config hasn't specified neither the "Post Response Signed" nor the "Assertions Signed" options, then SP requires signed Assertion for HTTP-POST binding regardless of whether the Response is signed.

      It would be good to let IDP to decide which one it wants to use if SP doesn't restrict it with wantPostResponseSigned/wantAssertionsSigned options. Then SP can validate any signatures and check if at least one of the two is used (as SAML2 specification says).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonthomas Jonathan Thomas
                Reporter:
                gabor.hollosi gabor.hollosi
                QA Assignee:
                Nemanja Lukic
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0h
                  0h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 6h
                  6h