with paos response (ECP) if assertion is signed instead of response signature_not_found error occurs
In SAML a signature can appear on either the top level SAML message or on an Assertion. When an Assertion is returned via a PAOS response for ECP and the signature is on the Assertion instead of on the Response an erroneous signature not found error occurs.
The problem is in lasso_saml20_login_process_paos_response_msg(). It initially calls lasso_saml20_profile_process_soap_response_with_headers() which checks for the signature on the top level SAML response. If the response is not signed it returns LASSO_DS_ERROR_SIGNATURE_NOT_FOUND. lasso_saml20_login_process_paos_response_msg() then continues to process and calls lasso_saml20_login_process_response_status_and_assertion() where it checks for the signature on the assertion. If the assertion is signed and validates it's successful. However lasso_saml20_login_process_paos_response_msg() ultimately returns the LASSO_DS_ERROR_SIGNATURE_NOT_FOUND from the earlier check on the response message when it should have realized the signature check on the assertion superseded it.
I have a git formatted patch prepared and will submit soon.
Fix ECP signature not found error when only assertion is signed (#26828)
With a SAML Authn Response either the message or the assertion
contained in the response message or both can be signed. Most IdP's
sign the message. This fixes a bug when processing an ECP authn
response when only the assertion is signed.
lasso_saml20_profile_process_soap_response_with_headers() performs a
signature check on the SAML message. A signature can also appear on
the assertion which is checked by
lasso_saml20_login_process_response_status_and_assertion() The problem
occurred when the message was not signed and
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not
actually an error because we haven't checked the signature on the
assertion yet. We were returning the first
LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent
signature check in
The ECP unit tests were enhanced to cover these cases.
The enhanced unit test revealed a problem in two switch statements
operating on the return value of
lasso_profile_get_signature_verify_hint() which were missing a case
statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused
an abort due to an unknown enumeration value.
Fixes Bug: 26828
Signed-off-by: John Dennis <firstname.lastname@example.org>
#5 Updated by John Dennis 6 months ago
Updated patch with MIT license tag