omniauth-wsfed icon indicating copy to clipboard operation
omniauth-wsfed copied to clipboard

Published 20 hours ago verified publisher icon kbeckman

SAML1 Signature Validation fails

Open williamthom-as opened this issue 8 years ago • 0 comments

Using ADFS3 as the IDP, the signature and digests fails validation by mismatched hashes.

Not sure if there is a configuration issue on my end, but from what I can see the problem is due to carriage returns, tabs and whitespace being left in the canonicalized string.

Would be great to see this fixed if indeed it is a problem (not sure if you support ADFS3.0), the fix I implemented merely stripped out undesired excess characters which caused the digests to mismatch, have no tested against other IdP's.

Original: canon_hashed_element = canoner.canonicalize(hashed_element) ... canon_string = canoner.canonicalize(signed_info_element)

Fix: canon_hashed_element = canoner.canonicalize(hashed_element).gsub(/\n\t/, " ").gsub(/>\s*</, "><") ... canon_string = canoner.canonicalize(signed_info_element).gsub(/\n\t/, " ").gsub(/>\s*</, "><")

williamthom-as avatar Jul 22 '16 04:07 williamthom-as