Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

saml assertion verification does not work in spring-security version 5.7.1 #11439

Open
miimnoon opened this issue Jun 24, 2022 · 8 comments
Open

saml assertion verification does not work in spring-security version 5.7.1 #11439

miimnoon opened this issue Jun 24, 2022 · 8 comments
Labels
in: saml2 An issue in SAML2 modules type: bug A general bug

Comments

@miimnoon
Copy link

miimnoon commented Jun 24, 2022
edited by marcusdacoregio
Loading

Describe the bug
If your SAML Response is signed, spring security wont be able to verify that
I did some debugging and discovered that the following class had the problem.

2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to establish trust of KeyInfo-derived credential 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Attempting to verify signature using trusted credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Failed to verify signature using either KeyInfo-derived or directly trusted credentials

in the following method trustedCredentials is empty that shouldn't have

protected boolean evaluateTrust(@Nonnull Credential untrustedCredential, @Nullable Iterable<Credential> trustedCredentials) throws SecurityException {
    return this.keyTrust.validate(untrustedCredential, trustedCredentials);
}

To Reproduce
Steps to reproduce the behavior.

Expected behavior
A clear and concise description of what you expected to happen.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.
@miimnoon miimnoon added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jun 24, 2022
@marcusdacoregio marcusdacoregio added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 27, 2022
@marcusdacoregio
Copy link
Contributor

Hi @miimnoon, thanks for the report.

Can you confirm if the verification works in version < 5.7.1?

@miimnoon
Copy link
Author

Hi @marcusdacoregio

I'm pretty sure that it works in 5.6.3.
I was using spring boot 2.6.6 (spring security 5.6.3) and it works fine after updating to spring boot 2.7.0 (spring security 5.7.1)
It does not work.

@dhysf
Copy link

dhysf commented Aug 22, 2022

yes. I also meet the issue. Do you know how to fix it ?

@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Aug 22, 2022
edited
Loading

Hi folks, can you provide a minimal, reproducible sample so we can simulate it on our side?

@dhysf
Copy link

dhysf commented Aug 22, 2022

yes. I also meet the issue. Do you know how to fix it ?

remove other configure item. keepmetadata is works. spring.security.saml2.relyingparty.registration.okta.assertingparty.metadata-uri=https://{app}.okta.com/app/{xxxx}/sso/saml/metadata

@dhysf
Copy link

dhysf commented Aug 22, 2022
edited
Loading

application.properties spring.security.saml2.relyingparty.registration.okta.identityprovider.entity-id=http://www.okta.com/{appkey} spring.security.saml2.relyingparty.registration.okta.identityprovider.verification.credentials[0].certificate-location=classpath:rp-certificate.crt spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.url=https://trial-{appid}.okta.com/app/trial-{xxx}/{xxx}/sso/saml spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.sign-request=false

java code

`

@autoConfiguration
public class SecurityConfiguration {

@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {

    // @formatter:off
    http
        .authorizeHttpRequests(authorize -> authorize
            .mvcMatchers("/favicon.ico").permitAll()
            .anyRequest().authenticated()
        )
        .saml2Login(
        		withDefaults()
        )
        .saml2Logout(withDefaults());
    // @formatter:on

    return http.build();
}

}
pom.xml:
org.springframework.boot
spring-boot-starter-parent
2.7.3


`

@Shabin
Copy link

Shabin commented Mar 3, 2023
edited
Loading

I also faced the same issue. I think the issue is with this commit in spring boot.
In Saml2RelyingPartyRegistrationConfiguration.AssertingPartyProperties.get(String name, Function<AssertingParty, T> getter) method, value of getAssertingParty is returned if the value in not null.
In case of verification, it will be always not null(It is initiated as new Verification() in Saml2RelyingPartyProperties) and hence the verification creds given with identityprovider key will be ignored and fails the signature validation on saml2 response.

So changing the key from identityprovider to assertingparty works fine.

@jukekxm
Copy link

jukekxm commented Mar 30, 2024

Is the issue still being reproduced?
I think the above-mentioned commit may have been solved as it was forward-ported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: saml2 An issue in SAML2 modules type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Shabin @dhysf @marcusdacoregio @miimnoon @jukekxm