Expected Behavior
Add implementation of Artifact Resolution Profile, as specified here: https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf#page=44
Current Behavior
Only Web Browser SSO Profile is available, so it is not possible to use Spring Security with IdP that uses Artifact Resolution Profile.
Context
In old Spring Security SAML extension project (which is EOL) it was possible to use Artifact Resolution Profile. Now for me it's not possible to migrate from that project to this one.
Comment From: marcusdacoregio
Hi @yaceq. Thank you for submitting this issue.
Are you interested in contributing with a PR that adds the HTTP-Artifact support?
Comment From: yaceq
Hi @marcusdacoregio. Ok, I can try adding support for HTTP-Arfifact.
Comment From: marcusdacoregio
@yaceq I can help you with some guidance on how to do that. Just give me some days to try the feature myself and I'll get back to you.
Comment From: marcusdacoregio
@yaceq Discussing this with the team, we think that it is more valuable to understand your use case before moving on to the actual implementation. Would you be able to provide a sample application that adds the feature without making changes to Spring Security, e.g. has Spring Security as a dependency?
Comment From: yaceq
Sure, I'll do it this way. Just give me few days more.
Comment From: yaceq
Ok, I'm back. HTTP-Artifact, SOAP Logout and reloading metadata added here - https://github.com/yaceq/spring-security-saml2-service-provider-ext What is missing: tests for reloading metadata, tests for modified Saml2Login/LogoutConfigurer - I'll do it in meantime. Also I didn't make any comments yet. Existing are copied from other classes/methods so they might not be appropriate - I'll fix it too later.
But there's one problem with validating signature of assertion when it's not encrypted. I get error like this:
Saml2AuthenticationException{error=[invalid_signature] Invalid assertion [A9eb67e35-390f-4d55-b86a-471eb9cb4f29] for SAML response [_6dbe18b8-3062-48f4-aa01-8647a6b7a566]: Assertion Signature failed pre-validation: Apache xmlsec IdResolver could not resolve the Element for id reference: A9eb67e35-390f-4d55-b86a-471eb9cb4f29}
I found this solution https://blog.samlsecurity.com/2014/05/exception-apache-xmlsec-idresolver.html but I see it's used when assertion is encrypted because of use of Decryptor - I saw it's already used in original spring-security-saml2-service-provider and it won't help me.
What's interesting - this problem occurs only when both artifact response and assertion are signed but assertion is not encrypted. Any other situation like assertion is signed and encrypted, artifact response is signed passes tests, assertion is signed but not encrypted, artifact response is not signed passes tests. I tried to figure it myself but didn't achieve anything. Now I'm currently out of time for this task so I'm leaving it as it is. I'll come back to this problem, missing tests and comments in a few days/weeks. If you can please have a look into OpenSamlArtifactAuthenticationProviderTests - you will see that some tests passes and some not. Tests that don't pass have signed but not encrypted assertion and signed artifact response - other passes.
Comment From: marcusdacoregio
Hey @yaceq, thank you for the time that you've put into making the sample application.
Just to let you know that in the next couple of weeks I have some higher priorities tasks to finish, so I might not give feedback here for a few days. I'll let you know when I come back to this so we can continue the discussion.
Comment From: yaceq
Hey @marcusdacoregio, did you have time to take a look into my code? I finished my other tasks so I'll be able to come back to this problem again.
Comment From: marcusdacoregio
Hi @yaceq. Right now we are working on a SAML 2.0 Migration Guide to help folks migrating from the EOL SAML extension to the new module inside Spring Security.
We are still discussing the HTTP-Artifact support, considering the pros and cons. We'd love to know more about your scenario and why you cannot use different bindings.
Comment From: yaceq
I can't use different binding because asserting party that I'm integrated with uses HTTP-Artifact.
Comment From: yaceq
Just FYI - I managed to fix the problem described above, so everything is working correctly. Changes haven't been pushed to my repo yet, I'll finish tests and push everything together.
Comment From: marcusdacoregio
Hey @yaceq, thanks for the effort you have put into this.
Since 5.7.0-RC1 is already around the corner, we won't have time to add this soon. I'm bringing this to the team's attention for the next releases.
Comment From: Huub42
Hi, An example of an IDP which mandates HTTP-Artifact is the Dutch government: citizen login system (DigiD) for government services. Details can be found here: https://logius.gitlab.io/digid-combiconnect/1.0/index.html#saml-profiles Their meta data: Support for HTTP-Artifact profile and SOAP bindings would be greatly appreciated. Best Regards, Huub