4

I'm currently migrating from old deprecated Spring Security SAML Extension 1.0.10 to the SAML implementation in Spring Security 5.6.1.

In the old extension there was the possibility to disable the signature verification of the SAML response (property wantAssertionSigned in Spring Security SAML Extension documentation). This was very helpful for me during testing.

I wonder if this is also possible in Spring Security 5.6.1?

I searched in the source code and found the class OpenSamlMetadataResolver where it seems to me that this is hard-coded and cannot be changed:

private SPSSODescriptor buildSpSsoDescriptor(RelyingPartyRegistration registration) {
    SPSSODescriptor spSsoDescriptor = build(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
    (...)
    spSsoDescriptor.setWantAssertionsSigned(true);
    (...)
    return spSsoDescriptor;
}

Also the code in OpenSaml4AuthenticationProvider doesn't seem to offer an easy way to configure private variable assertionSignatureValidator to override validation behaviour.

Any help is appreciated.

Sebastiaan van den Broek
  • 5,818
  • 7
  • 40
  • 73
Mr. BoFrost
  • 103
  • 7

1 Answers1

2

In Spring Security 5.7.0, which will be released this Monday, May 16, 2022, the hard-coded line is removed. Therefore no more signature verification by default.

You will also be able to customize the EntityDescriptor if you want, something like this:

openSamlMetadataResolver.setEntityDescriptorCustomizer(
        (parameters) -> parameters.getEntityDescriptor().setEntityID("overriddenEntityId"));

You can always try the milestone releases before the GA.

Marcus Hert da Coregio
  • 4,635
  • 9
  • 27
  • That’s great news! Been waiting for that release for another SAML bug anyway that prevents upgrading to 5.6.x – Sebastiaan van den Broek May 11 '22 at 12:49
  • No - the response or the assertion must be signed per spec and Spring Security still [does this correctly in 5.7.0 RC1](https://github.com/spring-projects/spring-security/blob/5.7.0-RC1/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java#L546). `wantAssertionSigned` is a flag in SAML metadata that [acts as a hint](https://stackoverflow.com/questions/57619166/why-would-anyone-ever-set-certificate-signing-for-ruby-saml-gem-requests-respons), it does not dictate the enforcement of signature – identigral May 12 '22 at 18:10
  • @identigral I set up a saml idp (okta) to not use signing, but consuming the saml response in Spring Boot still failed because it required the signing but the xml was plain – Sebastiaan van den Broek May 14 '22 at 12:25
  • @Sebastiaan van den Broek It's unfortunate that some IdPs allow this. Thankfully Spring as an SP does not. – identigral May 16 '22 at 03:52
  • @identigral it just makes things massively harder to test properly. I wouldn’t use it unsigned in production either but it’s hard enough to test the full cycle already. And with little surprises as Spring Security 5.6 breaking a database-backed relying party registration which we found out in production, testing even just Spring upgrades automatically is massively important. – Sebastiaan van den Broek May 16 '22 at 03:57
  • @identigral this is what I'm talking about btw: https://github.com/spring-projects/spring-security/issues/10550 – Sebastiaan van den Broek May 16 '22 at 03:59
  • @identigral you're right in that the milestone release changes nothing of this behavior though. Which means I'm still out of luck without going through significant effort to setup a mocked IdP with certificates. – Sebastiaan van den Broek May 16 '22 at 04:23