teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

SAML Request Signature Compatibility with Broadcom Siteminder

Open programmerq opened this issue 8 months ago • 0 comments

Expected behavior:

Teleport should work with the Broadcom Siteminder SAML IDP. (Teleport as the SP).

If any specific steps unique to Siteminder become necessary, a Broadcom Siteminder guide in the documentation should cover that.

Current behavior:

Teleport's SAML service provider implementation uses the following default settings for SAML AuthNRequest:

  • Canonicalization method: http://www.w3.org/2006/12/xml-c14n11
  • Binding: HTTP-POST
  • Hard-coded urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified NameIDPolicy

These settings are not configurable and may cause incompatibility with some identity providers that require different settings, such as:

  • Canonicalization method: http://www.w3.org/2001/10/xml-exc-c14n
  • Binding: HTTP-Redirect
  • Flexibility to set NameIDPolicy to urn:oasis:names:tc:SAML:1.1:nameid-format:email (it is preferable to have this flexibility, but Siteminder can be configured to accept the unspecified policy)

I believe this is the section of code that would need to handle Broadcom Siteminder specific behavior changes:

https://github.com/gravitational/teleport/blob/v15.4.5/lib/services/saml.go#L258-L278

Details:

  • Recreation steps:
    1. Configure Teleport as a SAML service provider with an identity provider using Broadcom Siteminder.
    2. Set NameIDFormat to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    3. Initiate SSO login from Teleport.
    4. Observe the SAML request containing a different canonicalization method and using HTTP-POST binding.

Sample SAML Requests:

Current Teleport Request:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="#_reference_uri">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>Digest_value</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Signature_value</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIDKjCCAhKgAwIB...</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>

Expected Broadcom Siteminder Request:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <Reference URI="#_reference_URI">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/>
          </Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>Digest_value</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>Signature_value</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>MIIDKjCCAhKgAwIB...</X509Certificate>
      </X509Data>
    </KeyInfo>
</Signature>

Relevant logs and error messages:

Identity provider (IDP) returns HTTP error 500 due to invalid signature or binding method.

programmerq avatar Jun 27 '24 19:06 programmerq