Bug #26828

with paos response (ECP) if assertion is signed instead of response signature_not_found error occurs

Added by John Dennis over 4 years ago. Updated over 3 years ago.

Target version:
Start date:
29 September 2018
Due date:
% Done:


Estimated time:
Patch proposed:


In SAML a signature can appear on either the top level SAML message or on an Assertion. When an Assertion is returned via a PAOS response for ECP and the signature is on the Assertion instead of on the Response an erroneous signature not found error occurs.

The problem is in lasso_saml20_login_process_paos_response_msg(). It initially calls lasso_saml20_profile_process_soap_response_with_headers() which checks for the signature on the top level SAML response. If the response is not signed it returns LASSO_DS_ERROR_SIGNATURE_NOT_FOUND. lasso_saml20_login_process_paos_response_msg() then continues to process and calls lasso_saml20_login_process_response_status_and_assertion() where it checks for the signature on the assertion. If the assertion is signed and validates it's successful. However lasso_saml20_login_process_paos_response_msg() ultimately returns the LASSO_DS_ERROR_SIGNATURE_NOT_FOUND from the earlier check on the response message when it should have realized the signature check on the assertion superseded it.

I have a git formatted patch prepared and will submit soon.


0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch (10.2 KB) 0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch Updated patch with MIT license tag John Dennis, 10 January 2019 03:53 PM

Associated revisions

Revision 642182bd (diff)
Added by John Dennis about 4 years ago

Fix ECP signature not found error when only assertion is signed (#26828)

With a SAML Authn Response either the message or the assertion
contained in the response message or both can be signed. Most IdP's
sign the message. This fixes a bug when processing an ECP authn
response when only the assertion is signed.

lasso_saml20_profile_process_soap_response_with_headers() performs a
signature check on the SAML message. A signature can also appear on
the assertion which is checked by
lasso_saml20_login_process_response_status_and_assertion() The problem
occurred when the message was not signed and
lasso_saml20_profile_process_soap_response_with_headers() returned
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
actually an error because we haven't checked the signature on the
assertion yet. We were returning the first
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
signature check in
lasso_saml20_login_process_response_status_and_assertion() succeeded.

The ECP unit tests were enhanced to cover these cases.

The enhanced unit test revealed a problem in two switch statements
operating on the return value of
lasso_profile_get_signature_verify_hint() which were missing a case
an abort due to an unknown enumeration value.

Fixes Bug: 26828
License: MIT
Signed-off-by: John Dennis <>



Updated by Benjamin Dauvergne over 4 years ago

  • Assignee set to John Dennis

Seems legit, I'll apply it as soon as it arrives.


Updated by John Dennis about 4 years ago

  • File 0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch added
  • Status changed from Nouveau to Solution proposée
  • Patch proposed changed from No to Yes

Updated by Benjamin Dauvergne about 4 years ago

Just add the License: MIT header and it's good.


Updated by John Dennis about 4 years ago

  • File deleted (0001-Fix-ECP-signature-not-found-error-when-only-assertio.patch)

Updated by Benjamin Dauvergne about 4 years ago

  • Status changed from Solution proposée to Résolu (à déployer)

Updated by Benjamin Dauvergne about 4 years ago

  • Target version set to 2.6.1

Updated by Benjamin Dauvergne over 3 years ago

  • Status changed from Résolu (à déployer) to Solution déployée

Also available in: Atom PDF