Project

General

Profile

Bug #26828

with paos response (ECP) if assertion is signed instead of response signature_not_found error occurs

Added by John Dennis 10 months ago. Updated 6 months ago.

Status:
Résolu (à déployer)
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
29 Sep 2018
Due date:
% Done:

0%

Patch proposed:
Yes
Planning:
No

Description

In SAML a signature can appear on either the top level SAML message or on an Assertion. When an Assertion is returned via a PAOS response for ECP and the signature is on the Assertion instead of on the Response an erroneous signature not found error occurs.

The problem is in lasso_saml20_login_process_paos_response_msg(). It initially calls lasso_saml20_profile_process_soap_response_with_headers() which checks for the signature on the top level SAML response. If the response is not signed it returns LASSO_DS_ERROR_SIGNATURE_NOT_FOUND. lasso_saml20_login_process_paos_response_msg() then continues to process and calls lasso_saml20_login_process_response_status_and_assertion() where it checks for the signature on the assertion. If the assertion is signed and validates it's successful. However lasso_saml20_login_process_paos_response_msg() ultimately returns the LASSO_DS_ERROR_SIGNATURE_NOT_FOUND from the earlier check on the response message when it should have realized the signature check on the assertion superseded it.

I have a git formatted patch prepared and will submit soon.

0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch View - Updated patch with MIT license tag (10.2 KB) John Dennis, 10 Jan 2019 03:53 PM

Associated revisions

Revision 642182bd (diff)
Added by John Dennis 6 months ago

Fix ECP signature not found error when only assertion is signed (#26828)

With a SAML Authn Response either the message or the assertion
contained in the response message or both can be signed. Most IdP's
sign the message. This fixes a bug when processing an ECP authn
response when only the assertion is signed.

lasso_saml20_profile_process_soap_response_with_headers() performs a
signature check on the SAML message. A signature can also appear on
the assertion which is checked by
lasso_saml20_login_process_response_status_and_assertion() The problem
occurred when the message was not signed and
lasso_saml20_profile_process_soap_response_with_headers() returned
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
actually an error because we haven't checked the signature on the
assertion yet. We were returning the first
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
signature check in
lasso_saml20_login_process_response_status_and_assertion() succeeded.

The ECP unit tests were enhanced to cover these cases.

The enhanced unit test revealed a problem in two switch statements
operating on the return value of
lasso_profile_get_signature_verify_hint() which were missing a case
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
an abort due to an unknown enumeration value.

Fixes Bug: 26828
License: MIT
Signed-off-by: John Dennis <>

History

#1 Updated by Benjamin Dauvergne 10 months ago

  • Assignee set to John Dennis

Seems legit, I'll apply it as soon as it arrives.

#2 Updated by John Dennis 6 months ago

  • Patch proposed changed from No to Yes
  • File 0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch added
  • Status changed from Nouveau to Solution proposée

#3 Updated by Benjamin Dauvergne 6 months ago

Just add the License: MIT header and it's good.

#4 Updated by John Dennis 6 months ago

  • File deleted (0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch)

#5 Updated by John Dennis 6 months ago

Updated patch with MIT license tag

#6 Updated by Benjamin Dauvergne 6 months ago

  • Status changed from Solution proposée to Résolu (à déployer)

#7 Updated by Benjamin Dauvergne 6 months ago

  • Target version set to 2.6.1

Also available in: Atom PDF