[OPENAM-8567] SAML v2.0 Bearer Assertion Profile fails if SAML assertion does not include KeyInfo Element Created: 14/Mar/16  Updated: 20/Nov/16  Resolved: 13/Apr/16

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 13.0.0, 14.0.0
Fix Version/s: 11.0.4, 12.0.4, 13.5.0, 14.0.0

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: 6h
Time Spent: Not Specified
Original Estimate: 6h

Issue Links:
Depends
depends on OPENAM-8571 The OAuth2 SAML grant is expecting th... Resolved
Sprint: AM Sustaining Sprint 19, AM Sustaining Sprint 20
Support Ticket IDs:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:

 Description   

Using SAML v2.0 Bearer Assertion Profiles as described in https://backstage.forgerock.com/#!/docs/openam/13/admin-guide#oauth2-saml2-bearer does not work if the assertion does not contain a KeyInfo Element as described in https://www.w3.org/TR/xmldsig-core/

Root cause:

Saml2GrantTypeHandler.validAssertion(...) - OpenAM 13.0.0 source

...
        if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
            logger.error("Assertion signature verification failed");
            return false;
        }
...
SAMLUtils.checkSignatureValid(....) - OpenAM 13.0.0 source
            String certAlias = null;
            boolean valid = true; 
            Map entries = (Map) SAMLServiceManager.getAttribute(
                                SAMLConstants.PARTNER_URLS);
        if (entries != null) {
            SAMLServiceManager.SOAPEntry srcSite =
                (SAMLServiceManager.SOAPEntry) entries.get(issuer);
            if (srcSite != null) {
                certAlias = srcSite.getCertAlias();
            }
        }
      
        try {
            XMLSignatureManager manager = XMLSignatureManager.getInstance();
            valid = manager.verifyXMLSignature(xmlString, 
                                   idAttribute, certAlias);
        } catch (Exception e) {
...

-> certAlias is always null as entries is normally null



 Comments   
Comment by Bernhard Thalmayr [ 15/Mar/16 ]

similar to SAML protocol handling the cert should be retrieved from the meta data or SAML keystore

Comment by Peter Major [X] (Inactive) [ 13/Apr/16 ]

This particular use-case has been resolved by OPENAM-8596.

Comment by Filip Kubáň [X] (Inactive) [ 20/Sep/16 ]

Verified fix on: OpenAM 12.0.4-RC3 Build 7d21528d51 (2016-September-06 15:25)

Comment by Peter Major [X] (Inactive) [ 30/Sep/16 ]

Note that as part of the resolution several additional checks have been implemented for the SAML2 OAuth2 grant. After installing a patch you will need to perform the following additional steps:

  • The issuer of the assertion must be configured as a remote IdP
  • The audience of the assertion must be configured as a hosted SP
  • The hosted SP and the remote IdP must be in the same Circle Of Trust
Generated at Mon Nov 30 01:55:44 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.