This repository has been archived by the owner on Nov 29, 2022. It is now read-only.
SES-46: Encrypted assertions ignored in SAML reply #52
Labels
in: core
An issue in spring-security-saml-core
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Milestone
Comments
|
Rob Moore said: Providing patch based on the fix in previous comments. |
|
Rob Moore said: Looks like this is required to for signature to pass verification. |
|
Rob Moore said: A point of reference regarding the second patch: http://groups.google.com/group/opensaml-users/browse_thread/thread/efd63a580600fcac |
|
Vladimir Schäfer said: Thanks for the patch Rob. |
spring-projects-issues
added
in: core
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Rob Moore (Migrated from SES-46) said:
The current implementation does not check for encrypted assertions. In the case where the SAML reply is encrypted this means that no assertions are found. The code checks for encrypted values in other cases so this leads to unexpected behavior as it appears as if no assertion was found in the response when really the assertion was simply encrypted.
Rather than simply calling response.getAssertions() alone one approach would also call response.getEncryptedAssertions() and add the decrypted assertions to the list returned from the first call (assuming it's modifiable otherwise a fresh, independent list could be created). This two pass approach seems consistent with existing code (see attributes are handled in the code in WebSSOProfileConsumer.processResponse()).
The text was updated successfully, but these errors were encountered: