Hi,
I have an error in IDP Initiated SSO (Unsolicited) when I override default
SAML [metadata / keys] for a specific service.
https://apereo.github.io/cas/development/installation/Configuring-SAML2-DynamicMetadata.html#saml-services
2021-08-03 14:50:37,868 DEBUG
[org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator]
- <Signature cryptographic validation not successful>
org.opensaml.xmlsec.signature.support.SignatureException: Signature
cryptographic validation not successful
at
org.opensaml.xmlsec.signature.support.impl.provider.ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:79)
~[opensaml-xmlsec-impl-4.1.1.jar:?]
at
org.opensaml.xmlsec.signature.support.SignatureValidator.validate(SignatureValidator.java:54)
~[opensaml-xmlsec-api-4.1.1.jar:?]
at
org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator.validateSignatureOnProfileRequest(SamlObjectSignatureValidator.java:228)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
at
org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(SamlObjectSignatureValidator.java:99)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
at
org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(SamlObjectSignatureValidator.java:119)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifyAuthenticationContextSignature(AbstractSamlIdPProfileHandlerController.java:529)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifyAuthenticationContextSignature(AbstractSamlIdPProfileHandlerController.java:502)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.verifySamlAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:482)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.initiateAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:350)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
at
org.apereo.cas.support.saml.web.idp.profile.SamlIdPInitiatedProfileHandlerController.handleIdPInitiatedSsoRequest(SamlIdPInitiatedProfileHandlerController.java:130)
~[cas-server-support-saml-idp-web-6.4.0-RC6.jar:6.4.0-RC6]
The root cause is that CAS signs AuthnRequest with private key of the
service metadata but verifies signature with global public key
https://github.com/apereo/cas/blob/master/support/cas-server-support-saml-idp-web/src/main/java/org/apereo/cas/support/saml/web/idp/profile/builders/enc/validate/SamlIdPObjectSignatureValidator.java#L48
More generaly i don't undesrstand why we need to verify the signature in
IDP Initiated SSO because AuthnRequest is not a real AuthnRequest from SP
but built by CAS itself (fake AuthnRequest).
I would like to create a PR ti simply skip signature verification in
SamlIdPInitiatedProfileHandlerController (override
verifyAuthenticationContextSignature()), but i would like to be sure i
don't miss a use case with this mechanism.
Related signUnsolicitedAuthnRequest attribute in SAML Service is also
related to this point.
regards,
Antoine
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/f2c9f23f-cef8-43e7-8649-b8ea2a21800an%40apereo.org.
