Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
11.0.3, 12.0.0, 12.0.1, 12.0.2, 13.0.0
Description
Steps to reproduce - on OpenAM version12.0.2:
1) Create a hosted IDP e.g idp.example.net and
2) Create a hosted SP e.g sp.example.com - register remote IDP
3) Register remote SP in same COT.
4) Select Post Response Signed in remote SP configuration on IDP server
On idp.example.net: Federation > Entity provider > sp.example.com (remote sp) > ensure "Post Response Signed:" is ticked.
Save.
5) Invoke spSSOInit with HTTP-POST binding e.g
http://sp.example.com:9080/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=idp.example.net&metaAlias=/sp&binding=HTTP-POST
Expected Outcome:
SSO should succeed.
Actual result:
Sign on failed ( status 500 in browser)
In logs
ERROR: spAssertionConsumer.jsp: SSO failed. com.sun.identity.saml2.common.SAML2Exception: The signature on Assertion is not valid. at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:590) at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1050) at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:255) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
If OpenAM SP config hasn't specified neither the "Post Response Signed" nor the "Assertions Signed" options, then SP requires signed Assertion for HTTP-POST binding regardless of whether the Response is signed.
It would be good to let IDP to decide which one it wants to use if SP doesn't restrict it with wantPostResponseSigned/wantAssertionsSigned options. Then SP can validate any signatures and check if at least one of the two is used (as SAML2 specification says).
Attachments
Issue Links
- relates to
-
OPENAM-5260 Provide option to only sign Response when using HTTP-POST binding
-
- Resolved
-
