No exception thrown when receiving a message which is missing a SAML assertion signature element.

  • From: matthew weaver <mw4forums@...>
  • To: users@...
  • Subject: No exception thrown when receiving a message which is missing a SAML assertion signature element.
  • Date: Mon, 1 Jul 2013 17:02:21 -0400

I have a scenario where I am trying to process a message with message level
security including a SAML 2.0 holder-of-key assertion. In the process of
testing a negative scenario, I have found that if the
Security/Assertion/Issuer/Signature element is not present - metro will
continue to process the message as if the security of message is ok. I
believe this field is required for message level security.

Here is an example excerpt of a message which I believe should fail with a
soap fault, but is processed normally:
<wsse:Security S:mustUnderstand="true">
<wsu:Timestamp xmlns:ns17="
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16=";
http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_1";>
<wsu:Created>2013-06-23T00:34:35Z</wsu:Created>
<wsu:Expires>2013-06-23T00:39:35Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
ID="_de9c5c764c5a48cc969fa4ef0b4d50ae"
IssueInstant="2013-06-23T00:34:35.590Z" Version="2.0">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US
</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=TS:
PRL-R-0035.0-2011 TC: MAQD-R-0003.301-2011</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
j+vSaNxHnVA/M1RwGxqLbI34ZmUYUDdoDM7I8w+MT6DSCONKbdSqUua0I2YpeEAO23F5XQvCV3v59pOXjJpsQ0rGMrjSsDiLRDMgzYDilf3NjoGePBg7yEce4IEu6yF7ZEyHvsV3zWpvtGnwZEkiYFQ7vceLg9+UHM6PBOBaEndGT49bFG9pAFj6uIOiijSQ1d/vx8aP6I8+uEGnYxuF3QNoUGB39teG84d+hfLD5NxF92W0DVc9f0sZf/dlG2Pk+qeU9hArLMv+T268YDsUTnx41BOIVnrMPQPPO+QAE8zbCe9JQOzb8afcUHCDY2RkXZJBJ8S3fiDuB5l11G58bQ==
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
...
</saml2:Assertion>

I am expecting a signature to appear right after the Issuer. Any thoughts?


No exception thrown when receiving a message which is missing a SAML assertion signature element.

matthew weaver 07/01/2013
Terms of Use; Privacy Policy; Copyright ©2013-2014 (revision 20131025.e7cbc9d)
 
 
Close
loading
Please Confirm
Close