Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to get "WantAssertionsSigned = true" to work? #533

Closed
HendrikJan opened this issue Feb 9, 2021 · 4 comments · Fixed by #536
Closed

Is it possible to get "WantAssertionsSigned = true" to work? #533

HendrikJan opened this issue Feb 9, 2021 · 4 comments · Fixed by #536
Labels
new-feature pr-welcome

Comments

@HendrikJan
Copy link
Contributor

Our IdP is requiring that we set WantAssertionsSigned to true in the metadata we send them.

I did not find an option in the documentation to add WantAssertionsSigned="true" to the metadata when calling generateServiceProviderMetadata( decryptionCert, signingCert ).
I did not find the string "WantAssertionsSigned" anywhere in the code, so I assume this is not implemented.

Therefore I added it to the generated metadata this way:

xml2js.parseString(metadata, (err, result) => {
        // Add WantAssertionsSigned to the metadata (as requested by IdP)
        result.EntityDescriptor.SPSSODescriptor[0].$.WantAssertionsSigned = 'true';

       // Convert JSON back to XML
      const builder = new xml2js.Builder();
      xml = builder.buildObject(result);
}

I was hoping the assertions would be signed anyway and thus this would work out fine.
However, the IdP now returns "NotAuthorized", and testing with SimpleSamlPhp as IdP, we now get the error: "Unable to validate signature on query string."
Unfortunately I am not very experienced with SAML and so far not able to solve this myself.

Does the current version of passport-saml support signing assertions, and what configuration options should I set?
@cjbarth
Copy link
Collaborator

cjbarth commented Feb 9, 2021

Thank you for your feedback about this feature. I don't believe we support this feature, particularly if you've already searched the code like you have. We aren't really in a position to implement features for others, but we do try to help others add the features correct and include them in this project.

We typically start by asking that a link to the relevant part of the SAML spec be linked to. Then a test need to be written to validate that the feature currently doesn't work which asserts that it is working like it should after it is implemented.

@HendrikJan
Copy link
Contributor Author

Hi @cjbarth, thank you for the quick reply.
I did solve my problem. Just manually adding WantAssertionsSigned="true" to the metadata XML is enough.
The reason my IdP rejected was because I set encryption to sha512, which was not supported by the IdP.

In case anybody else is looking for "WantAssertionsSigned" and stumbling upon this issue:
The SAML Spec says this:

WantAssertionsSigned [Optional]
Optional attribute that indicates a requirement for the saml:Assertion elements received bythis service provider to be signed.If omitted, the value is assumed to be false. This requirementis in addition to any requirement for signing derived from the use of a particular profile/bindingcombination. [E7]Note that an enclosing signature at the SAML binding or protocol layer does notsuffice to meet this requirement, for example signing a samlp:Response containing theassertion(s) or a TLS connection.

@cjbarth
Copy link
Collaborator

cjbarth commented Feb 10, 2021

@HendrikJan Would you be willing to make a PR that includes the changes that you made so that they can end up in this code so you don't have to maintain a fork and so that others can benefit from your discovery?

@HendrikJan
Copy link
Contributor Author

HendrikJan commented Feb 10, 2021
edited
Loading

@cjbarth.
Unfortunately I did not make a fork.
I wouldn't know where to look in the code to fix this (I didn't read the code, only did a search for "WantAssertionsSigned")

What I did was fix the generated metadata after generating (so outside of passport-saml).

function generateMetadata() {
    const decryptionCrt = fs.readFileSync(samlConfig.saml_crt_file, 'utf8');
    const metadata = samlStrategy.generateServiceProviderMetadata( // <-- here metadata is generated
        decryptionCrt, // should match with samlStrategy:decryptionPvk
        decryptionCrt // should match with samlStrategy:privateCert
    );

    let xml = '';

    // Convert XML to JSON
    xml2js.parseString(metadata, (err, result) => {
        if (err) {
            throw err;
        }

        // Add AuthnRequestsSigned to the metadata (as requested by ITS)
        result.EntityDescriptor.SPSSODescriptor[0].$.AuthnRequestsSigned = 'true';
        result.EntityDescriptor.SPSSODescriptor[0].$.WantAssertionsSigned = 'true'; // <-- here I add to metadata

        // Convert JSON back to XML
        const builder = new xml2js.Builder();
        xml = builder.buildObject(result);
    });

    return xml;
}

I'll try to read the code this weekend and see if I can create a PR, but I'm not sure I will succeed.

@HendrikJan HendrikJan reopened this Feb 10, 2021
@HendrikJan HendrikJan mentioned this issue Feb 13, 2021
Merged
@cjbarth cjbarth linked a pull request Feb 15, 2021 that will close this issue
Add WantAssertionsSigned #536
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new-feature pr-welcome
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add WantAssertionsSigned HendrikJan/passport-saml
2 participants
@HendrikJan @cjbarth