spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Validate asserting party metadata signature

Open palakova opened this issue 3 years ago • 2 comments

Various elements in metadata can be digitally signed. Although signatures are optional, according to SAML specification, section 4.3.3.2 Processing Signed Documents and Fragments, "Metadata consumers MUST validate signatures, when present."

Expected Behavior Similar as the previous Spring Security SAML Extension implementation: Enable to submit a collection of public keys via configuration (e.g. as a part of RelyingPartyRegistration) and verify signature(s) in IdP metadata using PKIX algorithm and using the provided public keys as trust anchors.

Current Behavior I believe metadata signature is not verified. I did not find any way to enable this behaviour.

Context Adding metadata signature increases security and conforms to SAML 2.0 specification. As an example, Azure AD signs the root <EntityDescriptor> element of it's metadata.

palakova avatar Nov 01 '22 16:11 palakova

I think this sounds reasonable, though it would likely involve making OpenSamlAssertingPartyDetailsConverter public and polishing it accordingly.

It might change to something like OpenSamlAssertingPartyDetailsDecoder (similar to NimbusJwtDecoder) and may get an interface like AssertingPartyDetailsDecoder. The implementation would take the keys as part of its construction.

jzheaux avatar Jan 06 '23 21:01 jzheaux

Hi @jzheaux @sjohnr , metadata consumer must validate signature when presented . Is there any option to add signature?

sumeetpri avatar Aug 14 '23 06:08 sumeetpri