Hi,

Apologies for the delay:

When this attribute is
not present, the
initiator SHOULD interpret this to mean that the response is based on a
request that was
not signed."

Isn't this an issue with not filling the value attribute? The request SAML 
token _was_ signed. Maybe the request was signed too, and that gets its own 
SignatureConfirmation.

"Compliant responder implementations that support signature confirmation,
MUST include a
<wsse11:SignatureConfirmation> element inside the <wsse:Security> header of
the
associated response message for every <ds:Signature> element that is a
direct child of the
<wsse:Security> header block in the originating message."


I would think that  the  right thing to do for internally (Enveloped) signed 
SAML tokens is to not issue a SignatureConfirmation at all for that 
ds:Signature element, rather than one with no @Value, as it implies the 
"request is not signed".

I've basically created my own Action that doesn't issue SignatureConfirmations 
for signed saml tokens, but it's really a hack that edits just one line in the 
default one (can't be changed by config).

Nimish

On 2019/09/16 13:52:59, Colm O hEigeartaigh <cohei...@apache.org> wrote: 
> Hi,
> 
> Answers inline.
> 
> 
> >    1. The SAML assertion processor does not add a “signature-value” (
> >    WSSecurityEngineResult.TAG_SIGNATURE_VALUE) so the signature confirmation
> >    associated with the signed assertion has no attribute value, which
> >    according to the spec, is: “If this attribute is specified with an empty
> >    value, the initiator SHOULD interpret this as incorrect behavior and
> >    process accordingly”
> >
> >
> I think you are misinterpreting the spec here. What is meant here is that a
> @Value attribute is present but with an empty value. Sending a
> SignatureConfirmation element with no Value attribute is valid:
> 
> "This optional attribute contains the contents of a <ds:SignatureValue>
> copied from
> the associated request. If the request was not signed, then this attribute
> MUST NOT be
> present. If this attribute is specified with an empty value, the initiator
> SHOULD interpret
> this as incorrect behavior and process accordingly. When this attribute is
> not present, the
> initiator SHOULD interpret this to mean that the response is based on a
> request that was
> not signed."
> 
> 
> 
> >
> >
> >    1. A signatureconfirmation must be generated for every ds:Signature
> >    processed including, as far as I can tell, a signed saml assertion.
> >
> >
> The spec is a bit ambiguous on this, but I'm leaning towards thinking that
> WSS4J does the right thing by not including signature values for
> (internally) signed SAML Assertions. From the spec:
> 
> "Compliant responder implementations that support signature confirmation,
> MUST include a
> <wsse11:SignatureConfirmation> element inside the <wsse:Security> header of
> the
> associated response message for every <ds:Signature> element that is a
> direct child of the
> <wsse:Security> header block in the originating message."
> 
> Colm.
> 
> 
> 
> >
> >    1.
> >
> >
> >
> > This results in bogus signatureconfirmations. I don’t know which part is
> > wrong, but I do know a signature confirmation w/o a value is busted.
> >
> >
> >
> > Based on reading the source, the SAMLTokenSigned processor should fill in
> > the signature value.
> >
> >
> >
> > Nimish
> >
> >
> >
> >
> >
> 

Reply via email to