1

I am using the mod auth mellon on apache for authentication on my SP.

I have added on the SP metadata the directive to require signed resonses

<SPSSODescriptor
   AuthnRequestsSigned="true"
   WantAssertionsSigned="true"
   protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
>

But when receiving the response from the IdP I see that removing the signature does not render the response not-accepted, so I am still able to login.

The documentation for Mellon is somewhat outdated and other than the readme.doc there are not a lot of resources.

**Does anyone know how I can force mellon to check the SAML Response signature? **

I tried already searching on SO for this. I made sure that all the SAML Responses had a signature value in their payload. I made sure that the signature value matched the public key value of the IDP.

ThemThem
  • 38
  • 5
  • It's possible that both the SAML response and SAML assertion are signed. The WantAssertionsSigned flag refers to the SAML assertion signature. Perhaps you removed the SAML response signature but Mellon is checking the SAML assertion signature. Can you confirm this is the case? If both are signed, what happens when you remove both signatures? – ComponentSpace Jan 18 '23 at 00:54
  • It is the SAML Response that is signed. The assertion is not signed at all. So the problem is double. Both that the SAML response signature is not checked and that the WantAssertionsSigned is not enforced – ThemThem Jan 18 '23 at 16:47
  • To close this issue, the point was in the assertion as it contained a signature inside the part of the response. – ThemThem Mar 08 '23 at 19:43

0 Answers0