I'm facing a problem with validating SAML response where in, its giving digest mismatch. Tried checking it with the certificate's digest value and its showed a different value. I think there is a problem with the certificate or the SAML response but, I'm also wondering whether not having an authentication at the SP level is also a cause for concern since, the client does not want a response back on the IDP, contrary to what the standard setup for SAML dictates. I realize there shouldn't be a setup of this sort due to obvious security concerns but, this was the setup they have requested...
If the SAML assertion is not signed properly, this is a security concern and you should not trust it. By trusting it without validating the digest, you would open your self up to anyone submitting SAML to your ACS URL and being authenticated.
Related
I am using Spring SAML integration. I am getting below error when I tried to SAML logout without SingleLogout point.
I override the SAML method to check metadata has any SingleLogout point or not but it's not working.
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: IDP doesn't contain any SingleLogout endpoints
at org.springframework.security.saml.util.SAMLUtil.getLogoutBinding(SAMLUtil.java:108)
at org.springframework.security.saml.websso.SingleLogoutProfileImpl.sendLogoutRequest(SingleLogoutProfileImpl.java:66)
at org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:140)
To properly override the lack of single logout endpoint in the metadata, you'd have to provide your own implementation of org.springframework.security.saml.websso.SingleLogoutProfile and inject it as a dependency in your application config. Certainly doable but quite a bit of effort for a problem that has a simpler solution: manually modify the metadata you received from the IdP and add the endpoint. (If the metadata is signed, you'll need to remove the signature).
As an SP, we've opted for the POST binding option - it seemed to be the advised approach. SAML is now set up and working with the IDP. We would now like to change to Redirect as it is better handled in Ajax calls after timeout.
My question is whether we can switch from POST to Redirect without incurring a setup change on the IDP side. Seeing as both bindings are just using the UserAgent (browser) as a transport anyway, I figured it may be possible. But the binding is defined in the AssertionConsumerService in the metadata which indicates that IDP would need to be informed and have its configuration changed.
Sending a SAML Response (which is what is sent to an Assertion Consumer Service endpoint) via Redirect is not supported by the SAML spec since responses easily get too large to send as a query parameter. See line 420 in the SAML Web SSO Profile spec https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
Identity Provider issues to Service Provider In step 5, the identity provider issues a message to be delivered by
the user agent to the service provider. Either the HTTP POST, or HTTP
Artifact binding can be used to transfer the message to the service
provider through the user agent. The message may indicate an error, or
will include (at least) an authentication assertion. The HTTP Redirect
binding MUST NOT be used, as the response will typically exceed the
URL length permitted by most user agents.
You can switch to Artifact, though SP metadata will need to updated on the IDP to relay the changed endpoint.
Kentor - Using the SampleMvcApplication with success through their StubIdp but when I try with Clareity I receive the above error.
Without knowing anything about the implementations ( Kentor, SampleMvcApplication, StubIdP, Clareity )it looks as if:
Your Identity Provider implementation does not return a 'RelayState' parameter in the body of the HTTP POST along with the SAMLResponse.
Your Identity Provider implementation has added an InResponseTo attribute in the SAMLResponse element
Your Service Provider implementation interprets this as an IdP initiated SSO since it does not see a 'RelayState' parameter
Your Service Provider throws an error since it doesn't make sense for an SAMLResponse in an IdP initiated SSO flow to have an InResponseTo. InResponseTo refers to an AuthenticationRequest which is only there in a normal SP initiated SSO.
To get more help, you should tell us a little about the implementation you are using and your configuration.
SAML assertion is generated at the IDP(PF). It is consumed at the SP(PF). Is saml assertion tampering possible? If so, how to test it? I am trying to track get & post requests.
When I post the generated SAML Response to https://machine_name:port_no/sp/ACS.saml2, I get 404 error. I understand that we cannot hit the url.when I give the destination resource url, the resource page is opened.But I don't find the response in my server log.
I want to post the generated response with slight modifications and test if it throws any error. The intruder shouldn't be allowed to get the resource. Though I modify the response, I am able to hit the url & access the page.I am using POSTMAN chrome extension for this purpose.
Note : I am extracting saml response from the Agentless Integration Kit sample application.so the destination url is https://machine_name:port_no/AgentlessIntegrationKitSampleSP
Thanks,
Aswini J
If you want to tamper with the SAML data in the browser, you should use the Tamper Data extension for Firefox. It will allow you to step through each transaction and selectively modify the data.
However, you cannot successfully tamper with the SAML Response because it is a digitally signed (and optionally encrypted) message. Any tampering of the signed data will invalidate the message and PingFederate will not allow the message to go through. This is mandated per the SAML XMLDig specification which PF strictly enforces.
The info exchanged between the PingFederate (SP) and QuickStartApp (SP) is not SAML -- it is a "one time use" reference token that refers to information that is stored in PingFederate runtime memory. If you modify this value, PF will throw an error because it will not reference any known data.
I am just wondering while implementing SAML SSO with Salesforce I realize that I uploaded the certificate to the SP side (i.e. Salesforce), however I can see when we send a signed SAML response it already includes the certificate.
Why is the certificate shared ahead of time with the SP?
It's all about establishing trust between systems. If you don't give SFDC your cert ahead of time, how can they trust the message you are sending is actually from your IDP? Without your cert ahead of time, they can validate that the message is intact but not who actually generated it. When you include your public key in the SAML Response, they can check that it's the same one you shared with them and it's the same one you used to generate the signature.