Skip to content

Support signing SAML metadata #14916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 31, 2024
Merged

Support signing SAML metadata #14916

merged 1 commit into from
May 31, 2024

Conversation

franticticktick
Copy link
Contributor

Closes gh-14801

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 17, 2024
jzheaux
jzheaux requested changes Apr 17, 2024
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @CrazyParanoid! I've left some feedback inline.

@jzheaux jzheaux changed the title Add support sign SAML metadata Add signing SAML metadata Apr 17, 2024
@jzheaux jzheaux changed the title Add signing SAML metadata Support signing SAML metadata Apr 17, 2024
@franticticktick
Copy link
Contributor Author

Hi @jzheaux ! Thanks for your feedback. All your comments have been resolved.

@franticticktick franticticktick requested a review from jzheaux April 18, 2024 20:11
@jzheaux jzheaux added this to the 6.4.0-M1 milestone Apr 18, 2024
@jzheaux jzheaux added type: enhancement A general enhancement in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 18, 2024
@longgt
Copy link

longgt commented May 2, 2024

@CrazyParanoid thanks for your contribution.
Regarding to Signing with OpenSAML here, the final hash should be computed right after we did marshal the EntityDescriptor at below method

spring-security/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/metadata/OpenSamlMetadataResolver.java

Line 215 in e92dd02

private String serialize(EntityDescriptor entityDescriptor) {

If we sign EntityDescriptor before calling OpenSamlMetadataResolver.serialize, the marshaller in there will create a brand new XMLSignature object.
It causes the 2 signature elements in below serialized with empty content

<ds:DigestValue/>
<ds:SignatureValue/>

Where it should be

<ds:DigestValue>digest signature</ds:DigestValue>
<ds:SignatureValue>signature value</ds:SignatureValue>

https://github.com/alexo/SAML-2.0/blob/96363df652cff76cd7a04f200a7f58b988b7bfe7/java-opensaml/opensaml-xmlsec-impl/src/main/java/org/opensaml/xml/signature/impl/SignatureMarshaller.java#L99

Beside that, the test case is check only whether DigestValue and SignatureValue is existing or not.
It's better to check whether it contains value or not, in my opinion.

I noted all debug steps at my environment (with Spring Security 6.2.2) here
#13661 (comment)

Please correct if I misunderstood this situation.
Thanks.

@franticticktick
Copy link
Contributor Author

Hi @longgt ! In the resolveWhenRelyingPartyAndSignMetadataSetThenMetadataMatches test the xml is serialized with:

<ds:DigestValue>K411jmOwS83oyZ5LDpixHzwmvi6dbmd/GAT2sW2Pdyc=</ds:DigestValue>
<ds:SignatureValue>
DQfd3Gl+04LYqDYEk3O7zwuDbA940PAA3F+BVQxSF+7QdmIEykaSL5Kj+kg3DGtpUgbQPwC7SyRz&#13;
hkTZ78v9JzNu1SP8rx5DxyrdRNS51LOQLQP1qFMeSjzEi1TXlHtp0Z35qF2dAycnIty4oZFk2zNk&#13;
Uvm2N1DkAtC5XSqKssI=
</ds:SignatureValue>

I can add a value check to the test, but apparently there is no problem here.

@jzheaux jzheaux merged commit 801e808 into spring-projects:main May 31, 2024
@jzheaux
Copy link
Contributor

jzheaux commented May 31, 2024

Thanks, @CrazyParanoid! This is now merged into main and will go out in the next milestone release.

@jzheaux
Copy link
Contributor

jzheaux commented May 31, 2024

Because I think this may become the default in the future, I made a polish of 6695784 to notify that metadata is unsigned.

@jzheaux jzheaux mentioned this pull request May 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
6.4.0-M1
Development

Successfully merging this pull request may close these issues.

Sign SP Metadata
4 participants
@franticticktick @longgt @jzheaux @spring-projects-issues