ComponentSpace

Forums



Validating Saml response signature


Validating Saml response signature

Author
Message
Ben G
Ben G
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 9, Visits: 62
We have a SP that receives SAML responses from IdPs. These responses are signed and we set the PartnerCertificate in the PartnerIdentityProviderConfiguration. However, according to a customer of ours, we don't validate these signatures on our side. Here's a snippet of an example response they send:

</ds:SignedInfo><ds:SignatureValue>AFqF+U4agRLu/SignatureValue>AFqF+U4agRLu/sPC1jDqfCsOkWPXJ1OD2f2vW18Gg/sPC1jDqfCsOkWPXJ1OD2f2vW18Gg/bIjnkEhLtCPL6HDvcn0fqZIUu85NjRbIjnkEhLtCPL6HDvcn0fqZIUu85NjRv6N27fby34k9M03i1ncCFe/v6N27fby34k9M03i1ncCFe/VrL366KgDP0+Edh+VrL366KgDP0+Edh+xA2tVMABVWOvVRKgCcYDUbfNVXvKCnxA2tVMABVWOvVRKgCcYDUbfNVXvKCnalCGiCiTAV3GxEHIt0OhV1tZcTXtNBalCGiCiTAV3GxEHIt0OhV1tZcTXtNBLZAExz7H8AfWYCdRqAsTexV1BCYQDhLZAExz7H8AfWYCdRqAsTexV1BCYQDhPCeX5ESQ7+W+1T+PCeX5ESQ7+W+1T+4XUCJOuJd9ZiriPejhFrZfLJUaa8r+4XUCJOuJd9ZiriPejhFrZfLJUaa8r+ctVuBIyEatQbwGSFwNxjYj6wqht9MZctVuBIyEatQbwGSFwNxjYj6wqht9MZH4Jw+HJvFvqt4llBIvsa7KK+H4Jw+HJvFvqt4llBIvsa7KK+VyW0BLLN4ReBZfxrZmiOXxxZRH4bC1VyW0BLLN4ReBZfxrZmiOXxxZRH4bC1njE0CMEAdzEw==</ds:njE0CMEAdzEw==</ds:SignatureValue></ds:Signature>SignatureValue></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:SAML:1.1:nameid-format:emailAddress">emailAddress">[email protected]anyone@anymail.com</saml:NameID></saml:NameID>


If anything is altered after signing, the signature should not pass the SP's validation because the content is changed after signing. Their complaint is that they can change the email address in the response after signing it and that it will still pass the validation, which it shouldn't.

Is there a flag that we need to set in the config to validate the signature properly? My assumption was that this was done by default, but that doesn't appear to be the case.

Ben G
Ben G
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 9, Visits: 62
The only PartnerIdentityProviderConfiguration flag I see that is related is WantSamlResponseSigned. However, this flag appears just to assert that the response is signed, not whether the signature is valid. I would assume that the SamlServiceProvider.ReceiveSsoAsync() call would automatically verify the signature using the provided PartnerCertificate if the response is signed, whether or not that flag is set.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
By default we expect either the SAML response or SAML assertion to be signed.
This is the WantAssertionOrResponseSigned configuration flag which defaults to true.
We use the configured PartnerCertificate to perform the signature verification.
If the signature fails to verify, an exception is thrown.
The WantSamlResponseSigned flag specifies that the SAML response must be signed and the signature must verify.
The WantAssertionSigned flag specifies that the SAML assertion must be signed and the signature must verify.
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
I'd like to see the modified SAML assertion passing the signature verification.

Regards
ComponentSpace Development
kduval
kduval
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Awaiting Activation
Posts: 4, Visits: 6
ComponentSpace - 10/24/2018
By default we expect either the SAML response or SAML assertion to be signed.
This is the WantAssertionOrResponseSigned configuration flag which defaults to true.
We use the configured PartnerCertificate to perform the signature verification.
If the signature fails to verify, an exception is thrown.
The WantSamlResponseSigned flag specifies that the SAML response must be signed and the signature must verify.
The WantAssertionSigned flag specifies that the SAML assertion must be signed and the signature must verify.
If there's still an issue, please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
I'd like to see the modified SAML assertion passing the signature verification.

Does anyone know why when setting WantSAMLResponseSigned to false, it still tries to validate the SAML response signature and provides error message "ComponentSpace.SAML2.Exceptions.SAMLSignatureException: The SAML response signature failed to verify."?  I may be setting incorrectly so any guidance is appreciated. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
There are three flags affecting the SAML response or SAML assertion signature.
WantSAMLResponseSigned set to true means the SAML response must be signed.
WantAssertionSigned set to true means the SAML assertion must be signed.
These both default to false.
There's a third flag called WantAssertionOrResponseSigned which defaults to true.
What this means is that either the SAML response or SAML assertion must be signed.
If the SAML response is signed and WantSAMLResponseSigned is false but WantAssertionOrResponseSigned is true, we attempt to verify the SAML response signature and throw the exception you see if this fails.
You can set WantAssertionOrResponseSigned to false and no signatures will be verified but this should never be done in production.
The reason we have a WantAssertionOrResponseSigned defaulting to true is to ensure at least one signature does verify.



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search