Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow raw (unsigned) assertions #10

Open
wants to merge 36 commits into
base: master
Choose a base branch
from
Open

Allow raw (unsigned) assertions #10

wants to merge 36 commits into from

Conversation

rordeix
Copy link

@rordeix rordeix commented Sep 11, 2020
edited
Loading

According to SAML specifications assertions may be signed.

This PR allows to add raw assertions on responses.
I branched from signed_response_message which has an updated README about signing responses and assertions

oTsogbadrakhChinzorig and others added 30 commits January 17, 2019 21:56
@oTsogbadrakhChinzorig
Identify incoming metadata
1d859c1
@oTsogbadrakhChinzorig
Signed message
2f5be4d 
Some SP required to do sign SAML response message it self.
Follow the origin coding style


Signed message opts


signed was the instance method
@oTsogbadrakhChinzorig
Identify incoming metadata
43161e2 
Small test for Entity ID
@oTsogbadrakhChinzorig
Revert "Identify incoming metadata"
41e119f 
This reverts commit 1d859c1.
@oTsogbadrakhChinzorig
Signed message (document)
5b2b924 
ID should be same for sign and document
@oTsogbadrakhChinzorig
Merge branch 'entity_id_for_incoming_metadata' into updates_for_saml_idp
9d933ec
@oTsogbadrakhChinzorig
Merge branch 'entity_id_for_incoming_metadata' into updates_for_saml_idp
799513d
@oTsogbadrakhChinzorig
Signed response
cfafa21
@oTsogbadrakhChinzorig
Merge branch 'updates_for_saml_idp' into signed_response_message
cba7e02
@oTsogbadrakhChinzorig
Revert "Merge branch 'updates_for_saml_idp' into signed_response_mess…
8332984 
…age"

This reverts commit cba7e02.
@oTsogbadrakhChinzorig
Signed response
0492dbd
@oTsogbadrakhChinzorig
Test for Signature part
ebcc9bc
@oTsogbadrakhChinzorig
Merge branch 'signed_response_message' into updates_for_saml_idp
015bfd5
@oTsogbadrakhChinzorig
Merge branch 'signed_response_message' into updates_for_saml_idp
9b988e7
@Zogoo
Set theme jekyll-theme-architect
317f0bb
@oTsogbadrakhChinzorig
Merge branch 'entity_id_for_incoming_metadata' into updates_for_saml_idp
438bc93
@oTsogbadrakhChinzorig
Travis build update
ba8c606 
Install bundle for RVM version
Exclude build with issue because, can't check rails version before install it.
@Zogoo
Merge pull request #1 from Zogoo/updates_for_saml_idp
c2e77ea 
Update library for cloud SAML services.
@oTsogbadrakhChinzorig
Identify incoming metadata
ed07afc 
Small test for Entity ID


Name space should be defined
@oTsogbadrakhChinzorig
Merge branch 'updates_for_saml_idp'
26d83c4
@Zogoo
Adding required gem for response encryption
19761d8
@Zogoo
Set theme jekyll-theme-midnight
274fbfa
@Zogoo
Merge branch 'master' into require_xmlenc_gem
4acb010
@Zogoo
Merge branch 'require_xmlenc_gem'
397c84c
@Zogoo
Merge branch 'master' into signed_authn_request
4853058
@Zogoo
Merge branch 'saml_idp/signed_authn_request' into signed_authn_request
bb8ac29
@Zogoo
Merge branch 'saml_idp/redirect_sso_url' into signed_authn_request
27320ca
@Zogoo
Ignore VS code config
012b708
@Zogoo
Merge branch 'master' into signed_authn_request
78be522
@Zogoo
Merge branch 'signed_authn_request'
d5c4edf
@Zogoo
Copy link
Owner

Zogoo commented Sep 14, 2020
edited
Loading

According to SAML specifications assertions may be signed.

This PR allows to add raw assertions on responses.
I branched from signed_response_message which has an updated README about signing responses and assertions

Thanks for your contribution, I like to have an optional config for Assertion signature. But, I just wonder that is there any use case for non signed assertion, because for security reason assertion or response must be signed right?
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html

Zogoo
Zogoo requested changes Sep 14, 2020
View reviewed changes
@rordeix
Copy link
Author

rordeix commented Sep 14, 2020

According to SAML specifications assertions may be signed.
This PR allows to add raw assertions on responses.
I branched from signed_response_message which has an updated README about signing responses and assertions

Thanks for your contribution, I like to have an optional config for Assertion signature. But, I just wonder that is there any use case for non signed assertion, because for security reason assertion or response must be signed right?
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html

I agree with you, for security reasons assertions should be signed.
In our case we have an idp initiated flow to a server which requires the responses the to be signed but does not support signed assertions.
I thought someone else could face same problem (it could be fixed on the other side too, if they add support for signed assertions). Perhaps is a really particular case and does not add much value to anyone else?

@Zogoo
Copy link
Owner

Zogoo commented Sep 15, 2020

According to SAML specifications assertions may be signed.
This PR allows to add raw assertions on responses.
I branched from signed_response_message which has an updated README about signing responses and assertions

Thanks for your contribution, I like to have an optional config for Assertion signature. But, I just wonder that is there any use case for non signed assertion, because for security reason assertion or response must be signed right?
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html

I agree with you, for security reasons assertions should be signed.
In our case we have an idp initiated flow to a server which requires the responses the to be signed but does not support signed assertions.
I thought someone else could face same problem (it could be fixed on the other side too, if they add support for signed assertions). Perhaps is a really particular case and does not add much value to anyone else?

Actually, I was missing that if response itself get signed by "IdP", assertion could be as raw. It won't bring critical security issue.
And it might be good that print warning if someone mistakenly allows unsigned response with unsigned assertion.
About as merge request if you are not rushing, can I wait for some other guys also give some review of your idea?

@rordeix
Copy link
Author

rordeix commented Sep 17, 2020

I addressed your comments. I'm not sure about the controller test, please take a look and any feedback is welcome.
About the merge request, there is no rush, we are using our own fork in the meantime. When this gets merged we will update our gemfile.
One unrelated question to this PR, if I can ask: is saml-idp#88 is merged on this repo?

@rordeix rordeix requested a review from Zogoo September 17, 2020 10:22
@Zogoo
Copy link
Owner

Zogoo commented Sep 23, 2020

I addressed your comments. I'm not sure about the controller test, please take a look and any feedback is welcome.
About the merge request, there is no rush, we are using our own fork in the meantime. When this gets merged we will update our gemfile.
One unrelated question to this PR, if I can ask: is saml-idp#88 is merged on this repo?

I'm not merged yet. I have solved the issue with lambda which return what I wanted to return. I could achieve that which overrides SAML IdP config before generate response.
But, I just created a new pull request for saml_idp#88 in my repo and checking how will affect to an existing project.
BTW, I just thought that we can communicate each other on Gitter and I have recently created room. If you want to join, here is the link https://gitter.im/saml_idp

@rordeix
Copy link
Author

rordeix commented Sep 28, 2020

I addressed your comments. I'm not sure about the controller test, please take a look and any feedback is welcome.
About the merge request, there is no rush, we are using our own fork in the meantime. When this gets merged we will update our gemfile.
One unrelated question to this PR, if I can ask: is saml-idp#88 is merged on this repo?

I'm not merged yet. I have solved the issue with lambda which return what I wanted to return. I could achieve that which overrides SAML IdP config before generate response.
But, I just created a new pull request for saml_idp#88 in my repo and checking how will affect to an existing project.
BTW, I just thought that we can communicate each other on Gitter and I have recently created room. If you want to join, here is the link https://gitter.im/saml_idp

Thank you, Zogoo! For your answers and the invitation, I will join the Gitter room

@Zogoo
Copy link
Owner

Zogoo commented Jan 6, 2021

@rordeix my all pull requests are merged into original repo, if you create your pull request in original repo, probably other guys also take look at it and we might can easily merge it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zogoo Zogoo Awaiting requested review from Zogoo

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rordeix @Zogoo @oTsogbadrakhChinzorig