ComponentSpace

Forums



SAML Assertion Signature Validation


SAML Assertion Signature Validation

Author
Message
tomha
tomha
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 30
Snippet
We recently had a penetration test performed on our site. There was a vulnerability reported in that a SAML Assertion was valid if the Signature block is removed. I would have assumed that the ISamlServiceProvider ReceiveSsoAsync would validate a SAML Response. Can you recommend an approach where I can validate if the Response contains the Signature block?

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Unless you explicitly turn off signature verification through the SAML configuration, we expect either the SAML response or SAML assertion to be signed and for that signature to verify.
If the SAML assertion signature block was removed this would invalidate the SAML response signature, if any.
Please enable SAML trace and send the generated log file as an email attachment to [email protected].
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace



Regards
ComponentSpace Development
tomha
tomha
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 30
SnippetIn case anyone else landed on this post, it was a configuration setting on our end. We assumed that the WantAssertionOrResponseSigned would handle verifying the Assertion signature, however that wasn't the case. Adding  WantSAMLResponseSigned and WantAssertionSigned options solved the problem. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for the update.
These flags are defined in our Configuration Guide.
WantAssertionOrResponseSigned requires either the SAML assertion or SAML response to be signed and successfully verified. If neither is signed or verifies we throw an exception. This flag defaults to true as this is the most common use case.
However, if required you can explicitly specify you want the SAML response or SAML assertion signed using the WantSAMLResponseSIgned and WantAssertionSigned flags.


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search