Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8567

SAML v2.0 Bearer Assertion Profile fails if SAML assertion does not include KeyInfo Element

    Details

    • Sprint:
      AM Sustaining Sprint 19, AM Sustaining Sprint 20
    • Support Ticket IDs:

      Description

      Using SAML v2.0 Bearer Assertion Profiles as described in https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#oauth2-saml2-bearer does not work if the assertion does not contain a KeyInfo Element as described in https://www.w3.org/TR/xmldsig-core/

      Root cause:

      Saml2GrantTypeHandler.validAssertion(...) - OpenAM 13.0.0 source
      
      ...
              if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
                  logger.error("Assertion signature verification failed");
                  return false;
              }
      ...
      
      SAMLUtils.checkSignatureValid(....) - OpenAM 13.0.0 source
                  String certAlias = null;
                  boolean valid = true; 
                  Map entries = (Map) SAMLServiceManager.getAttribute(
                                      SAMLConstants.PARTNER_URLS);
              if (entries != null) {
                  SAMLServiceManager.SOAPEntry srcSite =
                      (SAMLServiceManager.SOAPEntry) entries.get(issuer);
                  if (srcSite != null) {
                      certAlias = srcSite.getCertAlias();
                  }
              }
            
              try {
                  XMLSignatureManager manager = XMLSignatureManager.getInstance();
                  valid = manager.verifyXMLSignature(xmlString, 
                                         idAttribute, certAlias);
              } catch (Exception e) {
      ...
      

      -> certAlias is always null as entries is normally null

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                bthalmayr Bernhard Thalmayr
                QA Assignee:
                Filip Kubáň [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 6h
                  6h
                  Remaining:
                  Remaining Estimate - 6h
                  6h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified