[KEYCLOAK-4377] Signature validation fails on brokered SAML 2.0 IDP if Assertion is encrypted. - Red Hat Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: 1.9.8.Final, 2.5.3.Final
Fix Version/s: 3.2.0.CR1
Component/s: SAML
Labels:
None

Security Sensitive Issue:

This issue is security relevant
Steps to Reproduce:

Hide

Configure an IDP that returns an unsigned Response with a signed, encrypted Assertion.
Check 'Validate Signature'.
An error will be thrown that the signature is invalid (because the code doesn't find a Signature element).

Show
Configure an IDP that returns an unsigned Response with a signed, encrypted Assertion. Check 'Validate Signature'. An error will be thrown that the signature is invalid (because the code doesn't find a Signature element).
Docs QE Status:
NEW
QE Status:
VERIFIED

Description

When the option 'Validate Signature' is set on a broker SAML 2.0 IDP, KeyCloak throws an exception if the signature is placed inside an encrypted assertion of the response.
As this is a valid case of a signed SAML document, this error should not be thrown unless the signature is actually invalid.
The current implementation doesn't verify the message for encrypted assertions before searching the document for a signature on the response or assertion level.

Attachments

Issue Links

relates to

KEYCLOAK-4897 SAML Adapter fails to validate signature on encrypted assertion

Closed

Activity

People

Assignee:: Hynek Mlnařík

Reporter:: Frederik Libert (Inactive)

Tester:: Michal Hajas

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017/02/03 6:56 PM

Updated:: 2017/12/19 7:13 AM

Resolved:: 2017/06/28 2:21 AM