Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML Response XML is invalid: The SAML XSD requires the Signature element to be just after the Issuer element #2

Closed
MrChrisRodriguez opened this issue Dec 27, 2020 · 4 comments
Closed

SAML Response XML is invalid: The SAML XSD requires the Signature element to be just after the Issuer element #2

MrChrisRodriguez opened this issue Dec 27, 2020 · 4 comments
Assignees
@robotdan
Milestone
0.5.1

Comments

@MrChrisRodriguez
Copy link

SAML response XML is invalid: The SAML XSD requires the Signature element to be just after the Issuer element

This is a duplicate of fusionauth-issues #1047. It seemed like it might be more appropriate here.

Description

The SAML response XML being generated by FusionAuth is invalid. The XSD requires that the Signature element appear immediately after the Issuer element. FusionAuth is not fulfilling this requirement, so some SPs aren't even processing the Response because it fails validation (Twilio, for example). Auth0 had this same issue back in 2017, as well.

Affects versions

v1.22.2

Steps to reproduce

Steps to reproduce the behavior:

  1. Set up a SAML Application
  2. Turn on debugging
  3. Try to authorize
  4. Copy the Response XML from the log
  5. Paste into an XML validator and see it fails

Expected behavior

The Signature element should appear immediately following the issuer element.

Screenshots

Platform

(Please complete the following information)

  • Device: MacBook Pro, but the instance is running on Fargate.
  • OS: Mac
  • Browser + version Chrome
  • Database: MySQL

Additional context

N/A
@MrChrisRodriguez
Copy link
Author

You can see the correct schema representation here:

https://github.com/FusionAuth/fusionauth-samlv2/blob/master/src/main/xsd/saml-schema-assertion-2.0.xsd#L61

It looks like the offending code may be here:

fusionauth-samlv2/src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java

Line 272 in f230fa0

try {

@robotdan
Copy link
Member

Thanks for the report @MrChrisRodriguez we will take a look shortly.

robotdan added a commit that referenced this issue Jan 5, 2021
@robotdan
Add assertion for #2
c042748
@robotdan
Copy link
Member

robotdan commented Jan 5, 2021

I'll have to dig into this a big further, it seems to be in the correct location so far, I added some additional assertions for the location of the signature element.
c042748

robotdan added a commit that referenced this issue Jan 5, 2021
@robotdan
Move the signature when configured for Response instead of Assertion,…
c1b5650 
… or an un-successful response.

#2
@robotdan
Copy link
Member

robotdan commented Jan 5, 2021

Think I've got it - when configured to sign the assertion, it was in the correct location, but when configured to sign the response or for an un-successful response - the signature was in the incorrect location.

c1b5650

I produced XML responses for both scenarios and they both passed validation of the SAML Response schema.

@robotdan robotdan self-assigned this Jan 5, 2021
@robotdan robotdan added this to the 0.5.1 milestone Jan 5, 2021
@robotdan robotdan closed this as completed Jan 5, 2021
@robotdan robotdan mentioned this issue Jan 5, 2021
Closed
robotdan added a commit that referenced this issue Jan 6, 2021
@robotdan
Additional cleanup and correctness for the location of the Signature …
230100a 
…element. #2.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
None yet
Projects
None yet
Milestone
0.5.1
Development

No branches or pull requests
2 participants
@MrChrisRodriguez @robotdan