Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feat] External Signature param for Redirect Binding #203

Merged
merged 6 commits into from
Oct 24, 2024

Conversation

Zogoo
Copy link
Collaborator

@Zogoo Zogoo commented Apr 2, 2024

SAML 2.0 redirect binding has 2 possibilities to provide a signature one is embedded and the other one is external (as query param).
The embedded one works fine because it's XML in the URL. But external signature requires a validated signature against a combined version of other parameters.
The original idea of this PR was #111 , but request validation should not belong to XML validation (XML security) because those are 2 different layers.

And this PR also contains one bug fix.
Currently, the SP metadata certificate should used for AuthnRequest validation if SP requires validation for AuthnRequest but AuthnRequest itself doesn't contain any certificate.
IdP always needs to fall back to SP Metadata (Service Provider) attributes if AuthnRequest doesn't contain the attribute.

The reason of I'm putting those 2 changes into PR is that it comes to my repo's latest main branch.

@Zogoo Zogoo self-assigned this Apr 2, 2024
@Zogoo Zogoo requested review from jphenow and mjobin-mdsol April 2, 2024 10:55
@Zogoo Zogoo changed the title [feat] Support external Signature param for Redirect Binding [feat] External Signature param for Redirect Binding Apr 2, 2024
when 384 then OpenSSL::Digest::SHA384
when 512 then OpenSSL::Digest::SHA512
else
OpenSSL::Digest::SHA1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this default value be configurable ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The request will have an extra parameter that should be used for validation.
If the value is not expected (other than SHA) it fails back to SHA1, as we do in other places.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SHA-1 is not anymore enabled on modern distributions (like RHEL 9)

@mjobin-mdsol
Copy link
Collaborator

the long (44) commit list looks weird, I hope this gets squash merged, unless a rebase is done before hand ?

@@ -6,7 +6,7 @@ module SamlIdp
end

it "signs valid xml" do
expect(Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT)).to be_truthy
expect(Saml::XML::Document.parse(subject.signed).valid_signature?("", Default::FINGERPRINT)).to be_truthy
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this does not need to be better validated?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first attribute of this method is optional if the XML document already contains the certificate with the document. I understand that the code may look a bit strange, and using hash keys might be better, but that would require a lot of changes across different layers, which I want to avoid with these new changes.

Copy link
Collaborator

@mjobin-mdsol mjobin-mdsol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed !!!
Only a few minor questions, I guess. Looks like new tests we're added.

To be sure, I'd like to see #207 being merged and rebased here to ensure we don't lose important coverage.

Also, make sure those 44+ commits gets squashed

@Zogoo Zogoo force-pushed the bug/custom_signed_algorithm branch from adaa69b to 3e58ea2 Compare July 24, 2024 17:01
@Zogoo Zogoo requested a review from mjobin-mdsol August 5, 2024 08:28
@Zogoo
Copy link
Collaborator Author

Zogoo commented Sep 19, 2024

@jphenow could you please take a look at this one, I already tested these changes to a real Idp project.
Ideally, it would be nice if we could have a demo service that can everyone play with and test new changes.
But that would be a different story from this PR.

return true if valid_saml_request?

head :forbidden if defined?(::Rails)
false
end

def decode_request(raw_saml_request)
@saml_request = Request.from_deflated_request(raw_saml_request)
def decode_request(raw_saml_request, signature, sig_algorithm, relay_state)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few notes in the README that are broken by these signature changes - can you take a quick pass at updating those?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might(?) just be this one

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have checked README, there was no specific section on how controller.rb methods could be help. But I have added a section that explains the starting point of this gem.

@Zogoo Zogoo merged commit 12416c4 into saml-idp:master Oct 24, 2024
25 checks passed
@Zogoo Zogoo mentioned this pull request Oct 24, 2024
@Zogoo Zogoo deleted the bug/custom_signed_algorithm branch October 25, 2024 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants