The SAML IDP that we use requires us to follow these rules:
When signing metadata, it should contain the
In short, currently spring security always provides a KeyInfo element when signing occurs, and always does this with the x509 data + certificate. In our case, it would be required to change this, and either remove the KeyInfo element entirely, or replace the X509Data with a KeyName. Hopefully this can be made configurable for the RelyingPartyRegistration.
PS. I found this issue, this is possibly why we didnt run into this issue sooner: (https://github.com/spring-projects/spring-security/issues/11354)
Comment From: jzheaux
@rcwinder, thanks for the report. It looks like something may have caused some of the words to drop in your description, and I can't completely follow your situation. Here is an example of something in your description where it appears there is missing detail.
The signature MUST NOT contain other elements (such as )
also:
The element MAY element that contains a .
and:
When signing metadata, it should contain the element, and it MUST contain only an element with an element.
Will you please go back through your description and ensure it is complete? After that, I think I'll be able to help better.
Hopefully this can be made configurable for the RelyingPartyRegistration.
So far, this seems unlikely since the RelyingPartyRegistration represents the SAML metadata for a relying party and asserting party pair. That said, something to allow customizing OpenSAML's SignatureSigningParameters in OpenSamlAuthenticationRequestResolver so far seems possible.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.