No exception thrown when receiving a message which is missing a SAML assertion signature element.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

No exception thrown when receiving a message which is missing a SAML assertion signature element.

matthew weaver
I have a scenario where I am trying to process a message with message level security including a SAML 2.0 holder-of-key assertion. In the process of testing a negative scenario, I have found that if the Security/Assertion/Issuer/Signature element is not present - metro will continue to process the message as if the security of message is ok. I believe this field is required for message level security.

Here is an example excerpt of a message which I believe should fail with a soap fault, but is processed normally:
<wsse:Security S:mustUnderstand="true">
<wsu:Created>2013-06-23T00:34:35Z</wsu:Created>
<wsu:Expires>2013-06-23T00:39:35Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="_de9c5c764c5a48cc969fa4ef0b4d50ae" IssueInstant="2013-06-23T00:34:35.590Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US
</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=TS: PRL-R-0035.0-2011 TC: MAQD-R-0003.301-2011</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
j+vSaNxHnVA/M1RwGxqLbI34ZmUYUDdoDM7I8w+MT6DSCONKbdSqUua0I2YpeEAO23F5XQvCV3v59pOXjJpsQ0rGMrjSsDiLRDMgzYDilf3NjoGePBg7yEce4IEu6yF7ZEyHvsV3zWpvtGnwZEkiYFQ7vceLg9+UHM6PBOBaEndGT49bFG9pAFj6uIOiijSQ1d/vx8aP6I8+uEGnYxuF3QNoUGB39teG84d+hfLD5NxF92W0DVc9f0sZf/dlG2Pk+qeU9hArLMv+T268YDsUTnx41BOIVnrMPQPPO+QAE8zbCe9JQOzb8afcUHCDY2RkXZJBJ8S3fiDuB5l11G58bQ==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
...
</saml2:Assertion>

I am expecting a signature to appear right after the Issuer. Any thoughts?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No exception thrown when receiving a message which is missing a SAML assertion signature element.

TomekJavaMetro
This post has NOT been accepted by the mailing list yet.


Hello,

Very interesting thing ...  

what version of a Metro do You use ??

Does in Your scenario the STS service is used  ?
Loading...