dexidp
Fix saml signature verification
Overview
- Update verifyResponseSig, so that it returns only signed assertion contents
- Update saml.go to parse identity from solely the verified assertion i.e. return value in verifyResponseSig
What this PR does / why we need it
Resolves security concerns around: Closes https://github.com/dexidp/dex/discussions/1884 Previously, the verifyResponseSig returned contents from the original SAML Response document. We must instead return contents from only the signed parts of the document i.e. parts verified with the XML Signature library. This PR does that.
Special notes for your reviewer
This would break cases where p.validator is nil. i.e. users don't want to verify SAML Response, since we cannot obtain any signed assertion from it. This would be an insecure and rare use case, as it would allow an attacker to create their own SAML Responses unsigned.
However, I can update the PR if Dex wants to support this use case.
@joonas-fi @DemiMarie see: https://github.com/dexidp/dex/discussions/1884
Can you confirm that this PR meets your expectation of parsing from solely signed contents. Let me know if there are any security improvements.
Thanks!
Hey @jupenur , @ericchiang could you also review the PR, and decide next steps for release. Since you previously worked on saml connector/found vulnerabilities in it.
Also what should we do if no validator is specified. It's quite dangerous behavior to not verify a SAML Response, so for my PR I didn't return any identity.
Thanks!
I haven't worked on dex in a long time, so you may want to reach out to one of the existing maintainers for review:
https://github.com/dexidp/dex/blob/master/MAINTAINERS
