spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Add Artifact Resolution Profile

Open yaceq opened this issue 3 years ago • 13 comments

Expected Behavior

Add implementation of Artifact Resolution Profile, as specified here: https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf#page=44

Current Behavior

Only Web Browser SSO Profile is available, so it is not possible to use Spring Security with IdP that uses Artifact Resolution Profile.

Context

In old Spring Security SAML extension project (which is EOL) it was possible to use Artifact Resolution Profile. Now for me it's not possible to migrate from that project to this one.

yaceq avatar Feb 14 '22 11:02 yaceq

Hi @yaceq. Thank you for submitting this issue.

Are you interested in contributing with a PR that adds the HTTP-Artifact support?

marcusdacoregio avatar Feb 14 '22 12:02 marcusdacoregio

Hi @marcusdacoregio. Ok, I can try adding support for HTTP-Arfifact.

yaceq avatar Feb 18 '22 12:02 yaceq

@yaceq I can help you with some guidance on how to do that. Just give me some days to try the feature myself and I'll get back to you.

marcusdacoregio avatar Feb 18 '22 12:02 marcusdacoregio

@yaceq Discussing this with the team, we think that it is more valuable to understand your use case before moving on to the actual implementation. Would you be able to provide a sample application that adds the feature without making changes to Spring Security, e.g. has Spring Security as a dependency?

marcusdacoregio avatar Feb 22 '22 12:02 marcusdacoregio

Sure, I'll do it this way. Just give me few days more.

yaceq avatar Feb 25 '22 09:02 yaceq

Ok, I'm back. HTTP-Artifact, SOAP Logout and reloading metadata added here - https://github.com/yaceq/spring-security-saml2-service-provider-ext What is missing: tests for reloading metadata, tests for modified Saml2Login/LogoutConfigurer - I'll do it in meantime. Also I didn't make any comments yet. Existing are copied from other classes/methods so they might not be appropriate - I'll fix it too later.

But there's one problem with validating signature of assertion when it's not encrypted. I get error like this: Saml2AuthenticationException{error=[invalid_signature] Invalid assertion [A9eb67e35-390f-4d55-b86a-471eb9cb4f29] for SAML response [_6dbe18b8-3062-48f4-aa01-8647a6b7a566]: Assertion Signature failed pre-validation: Apache xmlsec IdResolver could not resolve the Element for id reference: A9eb67e35-390f-4d55-b86a-471eb9cb4f29} I found this solution https://blog.samlsecurity.com/2014/05/exception-apache-xmlsec-idresolver.html but I see it's used when assertion is encrypted because of use of Decryptor - I saw it's already used in original spring-security-saml2-service-provider and it won't help me. What's interesting - this problem occurs only when both artifact response and assertion are signed but assertion is not encrypted. Any other situation like assertion is signed and encrypted, artifact response is signed passes tests, assertion is signed but not encrypted, artifact response is not signed passes tests. I tried to figure it myself but didn't achieve anything. Now I'm currently out of time for this task so I'm leaving it as it is. I'll come back to this problem, missing tests and comments in a few days/weeks. If you can please have a look into OpenSamlArtifactAuthenticationProviderTests - you will see that some tests passes and some not. Tests that don't pass have signed but not encrypted assertion and signed artifact response - other passes.

yaceq avatar Mar 08 '22 10:03 yaceq

Hey @yaceq, thank you for the time that you've put into making the sample application.

Just to let you know that in the next couple of weeks I have some higher priorities tasks to finish, so I might not give feedback here for a few days. I'll let you know when I come back to this so we can continue the discussion.

marcusdacoregio avatar Mar 09 '22 18:03 marcusdacoregio

Hey @marcusdacoregio, did you have time to take a look into my code? I finished my other tasks so I'll be able to come back to this problem again.

yaceq avatar Apr 07 '22 07:04 yaceq

Hi @yaceq. Right now we are working on a SAML 2.0 Migration Guide to help folks migrating from the EOL SAML extension to the new module inside Spring Security.

We are still discussing the HTTP-Artifact support, considering the pros and cons. We'd love to know more about your scenario and why you cannot use different bindings.

marcusdacoregio avatar Apr 07 '22 11:04 marcusdacoregio

I can't use different binding because asserting party that I'm integrated with uses HTTP-Artifact.

yaceq avatar Apr 07 '22 11:04 yaceq

Just FYI - I managed to fix the problem described above, so everything is working correctly. Changes haven't been pushed to my repo yet, I'll finish tests and push everything together.

yaceq avatar Apr 12 '22 13:04 yaceq

Hey @yaceq, thanks for the effort you have put into this.

Since 5.7.0-RC1 is already around the corner, we won't have time to add this soon. I'm bringing this to the team's attention for the next releases.

marcusdacoregio avatar Apr 12 '22 13:04 marcusdacoregio

Hi, An example of an IDP which mandates HTTP-Artifact is the Dutch government: citizen login system (DigiD) for government services. Details can be found here: https://logius.gitlab.io/digid-combiconnect/1.0/index.html#saml-profiles Their meta data: Support for HTTP-Artifact profile and SOAP bindings would be greatly appreciated. Best Regards, Huub

Huub42 avatar Sep 13 '22 15:09 Huub42