samlify icon indicating copy to clipboard operation
samlify copied to clipboard

Published 20 hours ago verified publisher icon tngan

Validation of InResponseTo against ID of AuthnRequest

Open gingerwizard opened this issue 5 years ago • 5 comments

Am i correct that that currently samlify doesn't validate the InResponseTo against the ID of the AuthnRequest? If not, does this not prevent reuse of AuthnRequests and thus the limitation represents a vulnerability? If the above is true, are there examples of how samlify should be extended to provide this support - i assume a distributed cache is required e.g. Redis.

Finally, would this also need to consider the IssueInstant to prevent an ever growing cache?

gingerwizard avatar Jan 08 '20 10:01 gingerwizard

@gingerwizard Yes, we don't check it right now, we just extract the essential information from the response, and delegate the checking process to user side now, we only provide decryption and signature validation right now.

We do have plan to include those basic checking like expiration, issuer, response target in the near future.

tngan avatar Jan 10 '20 05:01 tngan

Does it make sense to verify the InResponseTo property if you allow IdP-initiated SSO? As far as the spec goes the property will be omitted in that scenario.

What I also noticed which is even more important to verify is the login response ID to prevent replay attacks. See 4.1.4.5:

The service provider MUST ensure that bearer assertions are not replayed, by maintaining the set of used ID values for the length of time for which the assertion would be considered valid based on the NotOnOrAfter attribute in the <SubjectConfirmationData>.

We might want to open another issue for this but also in my opinion this is hard to implement in the library itself since you would have to store the ids in-memory which wont work in most system where a distributed cluster is used. Probably the best thing would be to mention this somewhere in the documentation that this has to be implemented on top of the validation the library does. According to the specification this is not optional.

nflaig avatar Apr 10 '20 15:04 nflaig

So just curious will any of the properties mentioned expiration, issuer, response target and login response id are still planed to be validated? If so is there a timeline of when this feature might be available?

tmonck avatar Nov 03 '20 20:11 tmonck

Just checking in post the new year to see if there is anything on this.

tmonck avatar Jan 04 '21 16:01 tmonck

Hello!

Has anything changed since your original response to @gingerwizard ? Does the app now validate the ID of a received SAMLResponse against IDs that it has issued in SAMLRequests?

Thanks 🥇

williwlwilliwll avatar Jun 23 '23 08:06 williwlwilliwll