Spring-security: SAML2 HTTP-Redirect: Missing Signature and SigAlg parameters in SAMLRequest Url (AuthNRequest)

Created on 9 Dec 2019  路  9Comments  路  Source: spring-projects/spring-security

Summary

I'm currently update to Spring Security 5.2.1. and start to use the integrated SAML 2 implementation.

During the integration I noticed that my identity provider (_Keycloak_) does not accept the signed _AuthNRequest_.

The reason is that SAML 2 expects different signature for different bindings (POST or Redirect) - at least that's how I understand it.

  • If a _POST binding_ is used the signature is embedded in the XML.
  • If a _Redirect binding_ is used the signature is part of the URL query parameters.
    (e.g. _https://idp/?SAMLRequest=...&RelayState=...&SigAlg=...&Signature=..._)

I checked the Spring Security SAML Extension online demo (https://saml-federation.appspot.com) and here it works as expected.

GET Parameters:
SAMLRequest: fZLLbsIwEEV/JfI...
SigAlg: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Signature: LAB/NahduGHr5ew...

and a none signed _AuthNRequest_

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://saml-federation.appspot.com:443/saml/SSO"
                     Destination="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle"
                     [...]
                     >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">saml-federation.appspot.com</saml2:Issuer>
</saml2p:AuthnRequest>

Currently the URL is created while using createSamlRequestRedirectUrl in Saml2WebSsoAuthenticationRequestFilter and these parameters aren't set.

private String createSamlRequestRedirectUrl(HttpServletRequest request, RelyingPartyRegistration relyingParty) {
    [...]
    String redirect = UriComponentsBuilder
            .fromUriString(relyingParty.getIdpWebSsoUrl())
            .queryParam("SAMLRequest", UriUtils.encode(encoded, StandardCharsets.ISO_8859_1))
            .queryParam("RelayState", UriUtils.encode(relayState, StandardCharsets.ISO_8859_1))
            .build(true)
            .toUriString();
    return redirect;
}

Expected Behavior

Using HTTP-Redirect binding _SigAlg_ and _Signature_ parameters are added to SAMLRequest Url and _AuthNRequest_ XML is not signed.

Version

5.2.1.RELEASE

saml2 enhancement
Source
picture berschmoe

All 9 comments

@berschmoe

Thank you for your report. You are absolutely correct. I had originally implemented this as a POST binding and when I switched it to REDIRECT I didn't go back to the spec to check the signatures.

The BINDING spec covers this in detail in section 3.4.4.1 DEFLATE Encoding

Some Identity Providers, like Okta, ignore all signatures on the AuthNRequest message because they require the Service Provider ACS URL to be whitelisted. There is a possibility that Keycloak requires the same thing, and thus as a temporary mitigation you could turn off the signature requirement. You would have to double check this. Other providers, such as SimpleSAMLPhp, accept XML signatures in the message itself.

And that's probably why we haven't seen this bug reported until now.

I have prototyped two different solutions, in two different PRs for review.

  1. Option 1 - Simply fix the bug, changing current behavior, with a fallback to existing gh-7758
  2. Option 2 - Provide a configuration option for what BINDING should be used. And through configuration, remain backwards compatible. gh-7759 (this PR adds configuration on top of gh-7758)

Flagging @rwinch for consideration.

PS. During testing I discovered that java.util.Base64 is not sufficient for all IDPs, and we had a message that failed. So we changed the encoder/decoder back to Apache Commons Codec.
Each PR has this commit as a rider.

Test configuration as a gist

fhanik picture fhanik on 20 Dec 2019

Hi, thanks for fixing. When can we expect the fix to be released? Is there a workaround?

lilalinux picture lilalinux on 2 Mar 2020

@lilalinux Most IDPs don't require signatures because they have the SSO URLs white listed and preconfigrued. The work around is to not require signatures. This will be part of the 5.3 release.

fhanik picture fhanik on 2 Mar 2020
1

Unfortunately in SAP idP we can't disable that requirement 馃槙
Are there alternatives? Can we switch from Redirect to POST? (How?)

lilalinux picture lilalinux on 3 Mar 2020

Hi, thanks for fixing. When can we expect the fix to be released? Is there a workaround?

This is in the 5.3 release which will be out tomorrow. You can figure it out by looking at the milestone on the right hand side of the issue and clicking on it to see the scheduled date.

rwinch picture rwinch on 4 Mar 2020
1

My understanding is that this fix is in 5.3.x and not in 5.2.x, is that correct?

fpagliar picture fpagliar on 14 Apr 2020

@fpagliar Yes it is only in 5.3.x As an enhancement it does not get backported to patch releases (which are only bug fixes)

rwinch picture rwinch on 14 Apr 2020

I'm fine with it not being backported, but I'm trying to figure out the state and what to expect, so sorry to bother but I need to clarify the status.
My understanding on this issue is that 5.2 creates signed AuthNRequests that are not respecting the SAML standard. Is that correct?

fpagliar picture fpagliar on 15 Apr 2020

Yes, @fpagliar, 5.2 deviates from HTTP-Redirect by omitting the SigAlg and Signature query parameters.

jzheaux picture jzheaux on 15 Apr 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

unlimitedsola picture unlimitedsola  路  4Comments
kazuki43zoo picture kazuki43zoo  路  4Comments
lexburner picture lexburner  路  3Comments
berniegp picture berniegp  路  3Comments
cipriandumitrel picture cipriandumitrel  路  3Comments