Saml2.Authentication.Core icon indicating copy to clipboard operation
Saml2.Authentication.Core copied to clipboard
verified publisher icon jkmu

Saml Assertion signature verification can be fooled

Open jhudsoncedaron opened this issue 6 years ago • 1 comments

The signature handling code does not pass the list of signed xml fragments to the signature reader in any way. It can be fooled by a document constructed as follows:

<!-- envelope omitted for brevity -->
<samlp:Assertion>
     <samlp:Assertion>
        <!-- original signature here -->
     <samlp:Assertion>
     <!-- whatever you want -->
</samlp:Assertion>

jhudsoncedaron avatar Sep 23 '19 17:09 jhudsoncedaron

Some extra info perhaps and mitigations described in a research paper: https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf

RemcovandenBerg avatar Oct 27 '19 15:10 RemcovandenBerg