spring-projects
saml assertion verification does not work in spring-security version 5.7.1
Describe the bug If your SAML Response is signed, spring security wont be able to verify that I did some debugging and discovered that the following class had the problem.
2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to establish trust of KeyInfo-derived credential 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Attempting to verify signature using trusted credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Failed to verify signature using either KeyInfo-derived or directly trusted credentials
in the following method trustedCredentials is empty that shouldn't have
protected boolean evaluateTrust(@Nonnull Credential untrustedCredential, @Nullable Iterable<Credential> trustedCredentials) throws SecurityException {
return this.keyTrust.validate(untrustedCredential, trustedCredentials);
}
To Reproduce Steps to reproduce the behavior.
Expected behavior A clear and concise description of what you expected to happen.
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.
Hi @miimnoon, thanks for the report.
Can you confirm if the verification works in version < 5.7.1?
Hi @marcusdacoregio
I'm pretty sure that it works in 5.6.3. I was using spring boot 2.6.6 (spring security 5.6.3) and it works fine after updating to spring boot 2.7.0 (spring security 5.7.1) It does not work.
yes. I also meet the issue. Do you know how to fix it ?
remove other configure item. keepmetadata is works. spring.security.saml2.relyingparty.registration.okta.assertingparty.metadata-uri=https://{app}.okta.com/app/{xxxx}/sso/saml/metadata
application.properties spring.security.saml2.relyingparty.registration.okta.identityprovider.entity-id=http://www.okta.com/{appkey} spring.security.saml2.relyingparty.registration.okta.identityprovider.verification.credentials[0].certificate-location=classpath:rp-certificate.crt spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.url=https://trial-{appid}.okta.com/app/trial-{xxx}/{xxx}/sso/saml spring.security.saml2.relyingparty.registration.okta.identityprovider.singlesignon.sign-request=false
java code
`
@AutoConfiguration public class SecurityConfiguration {
@Bean
SecurityFilterChain configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/favicon.ico").permitAll()
.anyRequest().authenticated()
)
.saml2Login(
withDefaults()
)
.saml2Logout(withDefaults());
// @formatter:on
return http.build();
}
}
pom.xml:
I also faced the same issue. I think the issue is with this commit in spring boot.
In Saml2RelyingPartyRegistrationConfiguration.AssertingPartyProperties.get(String name, Function<AssertingParty, T> getter) method, value of getAssertingParty is returned if the value in not null.
In case of verification, it will be always not null(It is initiated as new Verification() in Saml2RelyingPartyProperties) and hence the verification creds given with identityprovider key will be ignored and fails the signature validation on saml2 response.
So changing the key from identityprovider to assertingparty works fine.
Is the issue still being reproduced? I think the above-mentioned commit may have been solved as it was forward-ported.
