Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix verification of SAML message signatures #418

Merged
merged 5 commits into from Nov 27, 2017
Merged

Fix verification of SAML message signatures #418

merged 5 commits into from Nov 27, 2017

Conversation

jeffparsons
Copy link
Contributor

@jeffparsons jeffparsons commented Sep 20, 2017
edited

Status

?? READY/IN DEVELOPMENT/HOLD

Description

Current implementation of validate_signature incorrectly assumes it can reconstruct the relevant URI parts (RelayState, SAMLRequest, SigAlg) from the decoded values it receives. This contradicts the SAML specification, which requires computing the signature based on the URI components as sent by the Identity Provider.

The spec actually explicitly remarks that trying to reconstruct the URI parts is a bad idea because there is no single canonical URI encoding of a given value:

Further, note that URL-encoding is not canonical; that is, there are multiple legal encodings for a given value. The relying party MUST therefore perform the verification step using the original URL-encoded values it received on the query string. It is not sufficient to re-encode the parameters after they have been processed by software because the resulting encoding may not match the signer's encoding.

I've preserved the old behaviour in the case that the caller doesn't provide the the correct (raw URI-encoded) parts, for backward compatibility.

This could probably use a couple of tests, but I figured I'd better see if you're ok with the general approach first.

Todos

  • Tests
  • Documentation

Steps to Test or Reproduce

  • Set up a Service Provider using ruby-saml, implementing IDP-initiated "Single Logout" with HTTP-Redirect binding.
  • Register your app in Microsoft ADFS as a Relying Party.
  • Try to log out from Microsoft's ADFS (IDP-initiated SLO).
  • Observe that ruby-saml will erroneously consider the signature on the logout request to be incorrect.

@jeffparsons
Fix verification of SAML message signatures
1cf9ad2 
Old behaviour is preserved if the correct (raw URI-encoded) parts
are not provided.
@jeffparsons
Copy link
Contributor Author

Those test failures on some configs appear to have nothing to do with the code changes.

@pitbulk
Copy link
Collaborator

pitbulk commented Sep 20, 2017

Yes, it seems not related, we will need to apply the same at the validate_signature of the Logout Response.

As well as provide tests and documentation on the README.

@jeffparsons
Test verification of SAML message signatures
c66b940 
Test that providing raw URI components allows correct signature
verification where the URI-encoding differs from that generated
by ruby-saml itself.
@jeffparsons
Fix verification of Logoutresponse signatures
9c701f6 
Old behaviour is preserved if the correct (raw URI-encoded) parts
are not provided.

Previous commits fix (and test) the equivalent check for SloLogoutrequest.
@jeffparsons
Copy link
Contributor Author

@pitbulk I've written some tests, and made the equivalent change for Logoutresponse.

I'm not sure what kind of change you'd like to the README; I can't see any existing documentation about using get_params, so it's not as straightforward as just updating what's already there. Can you give me some pointers on where you'd like the documentation added, and how much detail you'd like?

@pitbulk
Copy link
Collaborator

pitbulk commented Sep 21, 2017

I think we may write an "Update from 1.5.0 to 1.6.0 version" and we ahould describe there that previously we used in LogoutRequest and LogoutResponse constructor the optioms [get_params] but now we recommend to use raw_get_params... and maybe and example of code of the new use.

@jeffparsons
Document options[:raw_get_params] in README.md
b9b6996 
Explains the new parameter, and why to use it.
@jeffparsons
Copy link
Contributor Author

@pitbulk I've pushed some documentation in README.md. Does that look ok to you?

@jeffparsons
Copy link
Contributor Author

Cheers. 😎

@jeffparsons
Copy link
Contributor Author

Is there anything I can do to help move this (and #420) closer to landing?

@pitbulk
Copy link
Collaborator

pitbulk commented Nov 27, 2017

Sorry for the delay, I will merge and do a new release today.

@pitbulk pitbulk merged commit 2704ccf into SAML-Toolkits:master Nov 27, 2017
@jeffparsons
Copy link
Contributor Author

No drama whatsoever. 😃 Cheers!

@md5 md5 mentioned this pull request Feb 22, 2018
Closed
@pitbulk pitbulk mentioned this pull request Aug 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jeffparsons @pitbulk