-
Notifications
You must be signed in to change notification settings - Fork 477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure ADFS doesn't sign on top-level but on Assertion level #405
Comments
The authority is the SAML spec. You can find the related documents here: http://saml.xml.org/saml-specifications Find the related section and quote it here. If we can be more spec-compliant, we are interested in a patch. |
Sound good! I've tried to look it up, and I think I've found it but I'm curious if you agree with me. From https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
Which seems to state that it's fine either way, so you can sign the document-root (Response in my example) or the top-level Assertion (the Assertion with ID="_AAAAA" in my example) I'm willing to create a patch if you agree with this. If you have any directions on how you would patch it yourself I could bear that in mind. |
Just found out that this library does support the mentioned SAML spec. First you check the top-level signature and if that's not found you do check if the assertion is signed and if that signature is correct. Guess we're dealing with a configuration or certificate issue of some sort. Yet to figure that out, I'll comment here if I ever resolve this. I will close this issue. |
Azure seems to have a new certificate they use to sign, but this certificate is not in the federation metadata. Haven't found a solution for that yet. |
Hi,
After a few 'normal' windows server ADFS integrations with passport-saml I tried to implement Azure ADFS today, but something strange seems to happen.
On the callback URL I retrieve an XML in the following form:
In SAML.js in the
validateSignatureForCert
function I see the commentWhich I understand but doesn't seem to be valid for this SAML response. Should we allow just the assertion to be signed and checked?
I'd like to know if this is expected behavior or that it is something that needs to be fixed (I'm happy to supply a PR if that's the case).
The text was updated successfully, but these errors were encountered: