Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail more gracefully when SAML v2 cannot resolve a signature verification key #1217

Closed
robotdan opened this issue May 11, 2021 · 2 comments
Closed

Fail more gracefully when SAML v2 cannot resolve a signature verification key #1217

robotdan opened this issue May 11, 2021 · 2 comments
Labels
bug Something isn't working superseded
Projects
FusionAuth Issues

Comments

@robotdan
Copy link
Member

robotdan commented May 11, 2021
edited

SAML v2 NPE when resolving a public key

Description

A null pointer is thrown when the certificate is not configured correctly. See https://fusionauth.io/community/forum/topic/971/samlv2-error-v1-26-1

After futher investigation, I asked the client to

  1. include the x509 certificate in their reponse
  2. sign the assertion

This fixed the issue. But still, it would be nice for Fusionauth to handle this a little more gracefully.

Exception:
java.lang.NullPointerException
	at io.fusionauth.api.security.SAMLKeySelector.select(SAMLKeySelector.java:35)
	at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:556)
	at java.xml.crypto/org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:268)
	at io.fusionauth.samlv2.service.DefaultSAMLv2Service.verifyEmbeddedSignature(DefaultSAMLv2Service.java:957)
	at io.fusionauth.samlv2.service.DefaultSAMLv2Service.parseResponse(DefaultSAMLv2Service.java:592)
	at io.fusionauth.api.service.authentication.SAMLv2IdentityProviderAuthenticationService._login(SAMLv2IdentityProviderAuthenticationService.java:91)
	at io.fusionauth.api.service.authentication.SAMLv2IdentityProviderAuthenticationService$$EnhancerByGuice$$2d68788c.CGLIB$_login$4(<generated>)
	at io.fusionauth.api.service.authentication.SAMLv2IdentityProviderAuthenticationService$$EnhancerByGuice$$2d68788c$$FastClassByGuice$$20fb48ec.invoke(<generated>)
	at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)

Affects versions

?

Steps to reproduce

?

Expected behavior

To fail, but perhaps with more grace.

Related

https://fusionauth.io/community/forum/topic/971/samlv2-error-v1-26-1

Additional context

Add any other context about the problem here.
@robotdan robotdan added the bug Something isn't working label May 11, 2021
@robotdan robotdan added this to Backlog in FusionAuth Issues via automation May 11, 2021
@atabakhafeez
Copy link

Hi @robotdan,

we are facing the same issue with one of our customers. We recently shifted this customer over to FusionAuth from a different Auth system that we used (Keycloak).

The SAML response this customer contains the Signature but not the X509 certificate. They have told me that this works for them with a multitude of other Auth applications -- i.e. they should not need to include X509 certificate. I am not sure if this is the actual case, but could it be that FusionAuth requires the X509 certificate in the SAML response, while it is not a must to be so?

@robotdan robotdan mentioned this issue Aug 1, 2021
Closed
@robotdan robotdan moved this from Backlog to Done in FusionAuth Issues Aug 1, 2021
@robotdan robotdan closed this as completed Aug 1, 2021
@robotdan
Copy link
Member Author

robotdan commented Aug 1, 2021

Fixing under #1332

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working superseded
Projects
FusionAuth Issues
  
Delivered
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robotdan @atabakhafeez