Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LogoutRequest signature not validated #469

Closed
markusglue opened this issue Apr 14, 2016 · 0 comments · Fixed by wso2-extensions/identity-inbound-auth-saml#213
Closed

LogoutRequest signature not validated #469

markusglue opened this issue Apr 14, 2016 · 0 comments · Fixed by wso2-extensions/identity-inbound-auth-saml#213
Assignees
@somindatommy
Labels
Affected/5.7.0 bug Complexity/Medium Component/SAML Priority/Highest Resolution/Fixed Severity/Critical
Milestone
5.8.0-Beta

Comments

@markusglue
Copy link

For a service provider we have activated signature validation for requests and responses in the configuration for SAML2 web SSO.

An AuthnRequest is correctly denied when only the SAMLRequest parameter is present in the redirect Url to the IdentityServer. It works well when additional parameters "SigAlg" and "Signature" are correctly set.

A LogoutRequest can pass successfully without having a deflated signature in the redirect Url.
The SPInitLogoutRequestProcessor seems to ignore the configured validation.
@pulasthi7 pulasthi7 added this to the 5.6.0 milestone May 21, 2018
@isharak isharak modified the milestones: 5.6.0, FUTURE May 21, 2018
@malithie malithie modified the milestones: FUTURE, 5.7.1-GA Mar 4, 2019
@somindatommy somindatommy mentioned this issue Mar 13, 2019
Merged
19 tasks
@thanujalk thanujalk modified the milestones: 5.7.1-GA, 5.8.0-GA Mar 25, 2019
@malithie malithie modified the milestones: 5.8.0-GA, 5.8.0-Beta Apr 5, 2019
thanujalk added a commit that referenced this issue May 9, 2020
@thanujalk
Merge pull request #8304 from jenkins-is-staging/dev_IS_dependency_up…
d9ffa69 
…dater/1588974065723

Bump Dependencies #469
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@somindatommy somindatommy

Labels
Affected/5.7.0 bug Complexity/Medium Component/SAML Priority/Highest Resolution/Fixed Severity/Critical
Projects
None yet
Milestone
5.8.0-Beta
Development

Successfully merging a pull request may close this issue.

Fix logoutRequest signature validation somindatommy/identity-inbound-auth-saml
7 participants
@madurangasiriwardena @pulasthi7 @thanujalk @malithie @isharak @markusglue @somindatommy