mod_auth_mellon icon indicating copy to clipboard operation
mod_auth_mellon copied to clipboard
verified publisher icon latchset

does Mellon require a signed assertion?

Open rledousa opened this issue 5 years ago • 2 comments

My IdMS by default only signs the entire SAML response but does not sign the assertion within the response. Does mellon require a signed assertion? If so, is there are way to toggle that?

I'm getting this when receiving the assertion in the mellon diagnostics.. The assertion appears to be correctly decrypted because I can see the principal's attributes in the mellon diagnostics.

[APLOG_ERR auth_mellon_handler.c:2203] Error processing authn response. Lasso error: [440] The profile cannot verify a signature on the message, SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)" thanks ahead of time!

rledousa avatar Dec 16 '20 20:12 rledousa

Hello, You can add AuthnRequestsSigned="true" and WantAssertionsSigned="true" on SPSSODescriptor.

Exemple ; <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">

mbesset avatar Dec 18 '20 13:12 mbesset

HI

Thank you for the reply! I tried flipping that from true to false and I got the same error. Want to make sure I understand how it works - setting WantAssertionsSigned tells the mellon module that the IdP's assertion will not be signed, or does it tell the IdP not to sign the assertion?

rledousa avatar Dec 18 '20 17:12 rledousa

The verification of the message signature is handled by the Lasso library that Mellon builds on. Lasso will verify the response signature, if it's missing, it will see if the assertion is signed and verify that. For more details I refer you to the Lasso project.

thijskh avatar Jan 12 '24 21:01 thijskh