Describe the bug When the response is not signed but assertions are signed, an error is thrown.
To Reproduce
Configure an IDP (here I used onelogin) to sign only assertions (not response).
The error Saml2AuthenticationException is thrown with message : 'Did not decrypt response [xxx] since it is not signed'
Expected behavior No exception should be thrown if assertions are all signed.
some insight The concerned code is OpenSaml4AuthenticationProvider. It seems to me it should be instead:
if (responseSigned) {
this.responseElementsDecrypter.accept(responseToken);
}
else if (response.getEncryptedAssertions().isEmpty()) {
result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE,
"Did not decrypt response [" + response.getID() + "] since it is not signed"));
}
We are currently working with the latest 5.8.x version. Thank you :)
Comment From: jzheaux
Hi, @acothenet, what you are describing is already supported. If all the assertions are signed, then it will proceed with authentication. I believe what you are experiencing is that you may have an encrypted unsigned response, which Spring Security does not support.
If it sounds like I'm mistaken, will you please provide a minimal GitHub sample that reproduces the issue?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: acothenet
Hi, @acothenet, what you are describing is already supported. If all the assertions are signed, then it will proceed with authentication. I believe what you are experiencing is that you may have an encrypted unsigned response, which Spring Security does not support.
If it sounds like I'm mistaken, will you please provide a minimal GitHub sample that reproduces the issue?
Indeed, that concerns unsigned responses but with encrypted assertions. I managed to handle it with a custom configuration but would be nice if spring security would handle it :)