Describe the bug SAML Response (IdP -> SP)
There are 8 examples:
- An unsigned SAML Response with an unsigned Assertion
- An unsigned SAML Response with a signed Assertion
- A signed SAML Response with an unsigned Assertion
- A signed SAML Response with a signed Assertion
- An unsigned SAML Response with an encrypted Assertion
- An unsigned SAML Response with an encrypted signed Assertion
- A signed SAML Response with an encrypted Assertion
- A signed SAML Response with an encrypted signed Assertion
But only few of them are supported in spring security.
- An unsigned SAML Response with an unsigned Assertion
- NOT SUPPORTED: Either the response or one of the assertions is unsigned. Please either sign the response or all of the assertions.
- An unsigned SAML Response with a signed Assertion
- SUPPORTED
- A signed SAML Response with an unsigned Assertion
- MAY BE:
- A signed SAML Response with a signed Assertion
- MAY BE:
- An unsigned SAML Response with an encrypted Assertion
- NOT SUPPORTED: No assertions found in response.
- An unsigned SAML Response with an encrypted signed Assertion
- NOT SUPPORTED: No assertions found in response.
- A signed SAML Response with an encrypted Assertion
- NOT SUPPORTED: org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
- A signed SAML Response with an encrypted signed Assertion
- NOT SUPPORTED: org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to decrypt EncryptedData
To Reproduce Sample SAML responses are available in the below site: https://www.samltool.com/generic_sso_res.php
Expected behavior All the type of SAML responses should be supported.
Sample
Sample SAML responses are available in the below site: https://www.samltool.com/generic_sso_res.php
Comment From: jzheaux
Hi, @mathewm3, thanks for the detailed report.
There are no plans to support arrangements where both the response and assertion are unsigned (1 and 5 in your list).
As for the encrypted arrangements, Spring Security only supports encrypt-then-sign (not sign-then-encrypt) arrangements.
If you are experiencing issues with encrypt-then-sign responses, please provide a minimal GitHub project that reproduces the issue.
If you are experiencing issues with sign-then-encrypt responses (possibly 6 in your list), perhaps the error messages can be improved to help guide users towards what Spring Security does support.
Can you clarify your issue along these lines? We may want to split things up into multiple issues once we know what needs to be done with each item.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: mathewm3
Thanks a lot for the response.
None of the "encrypted Assertion" are working at my end. Do I have do any separate configuration or steps to enable that?
Comment From: jzheaux
Okay, let's focus on 7 and 8 first. Can you please provide a minimal sample that reproduces the error?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.