Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthnRequest sent via HTTP-Redirect is signed twice (embedded and detached) #819

Closed
vladimir-mencl-eresearch opened this issue Aug 12, 2021 · 2 comments · May be fixed by #973
Closed

AuthnRequest sent via HTTP-Redirect is signed twice (embedded and detached) #819

vladimir-mencl-eresearch opened this issue Aug 12, 2021 · 2 comments · May be fixed by #973

Comments

@vladimir-mencl-eresearch
Copy link
Contributor

Code Version

7.0.1

Expected Behavior

With saml2_backend.yaml config.sp_config.services.sp.authn_requests_signed set to True, an AuthnRequest should get signed only with a detached signature in http_redirect_message.

Current Behavior

An AuthnRequest gets signed with an embedded signature in entity.py _message, and also gets a detached signature in http_redirect_message.

Possible Solution

The Entity _message method looks at the sign parameter and should_sign attribute - and when in determines the message should be sign, it creates an embedded XML signature.

While this is the right thing for the general case, it is not suitable for messages sent over BINDING_HTTP_REDIRECT (binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect), as they get a detached signature.

I thought about solving this in client_base.py create_authn_request by setting sign=False if the binding is BINDING_HTTP_REDIRECT - but this method is actually NOT receiving the binding the current call runs over, it only gets the binding the response should be sent over.

One option would be to change the signature of create_authn_request to also accept current_binding as a named parameter - and suppress signing based on that.

I have been able to force the correct behaviour in SATOSA directly by changing satosa.backends.saml2 authn_request to supress signing of the AuthnRequest message object for Redirect binding:

            req_id, req = self.sp.create_authn_request(
                destination, binding=response_binding,
                sign = False if binding == BINDING_HTTP_REDIRECT else None,
                **kwargs
            )

... but I think it should be solved in pysaml2.

Your toughts, @c00kiemon5ter ?

Cheers,
Vlad

Steps to Reproduce

  1. Deploy pysaml2 as SP (e.g., as SATOSA backend)
  2. Enable AuthnRequest signing (authn_requests_signed = true).
  3. Initiate an AuthnRequest to an IdP
  4. The request will be double-signed.
@c00kiemon5ter
Copy link
Member

c00kiemon5ter commented Aug 12, 2021
edited
Loading

hello @vladimir-mencl-eresearch,
I am on vacation atm, and will be fully back on the 25th.

quick notes on the subject

  • saml2.client_base.create_authn_request is a low-level utility
  • saml2.client provides higher level utilities: prepare_for_authenticate and prepare_for_negotiated_authenticate
  • we should probably change the saml2 backend of satosa to use those instead of create_authn_request.

Those split the sign flag into sign_post and sign_redirect by checking the binding making sure the right args are set in the steps that are taken for these operations. Would you like to give this a try?

@vladimir-mencl-eresearch
Copy link
Contributor Author

Hi @c00kiemon5ter ,

Thanks for the reply. And thanks for the points to saml2.client prepare_for_authenticate / prepare_for_negotiated_authenticate - that looks like the exactly right approach to take, the sign_post and sign_redirect variables defined there are exactly what's needed.

I'll try tackling this in SATOSA.

Enjoy your holiday!

Cheers,
Vlad

@c00kiemon5ter c00kiemon5ter mentioned this issue Aug 27, 2021
Merged
6 tasks
Closed
Closed
Open
vladimir-mencl-eresearch added a commit to REANNZ/pysaml2 that referenced this issue Dec 12, 2024
@vladimir-mencl-eresearch
fix: prep_for_nego_auth: avoid double signing redirect requests
4f68733 
Fixes IdentityPython#819 (again)

The prepare_for_negotiated_authenticate method has sign parameter defaulting to None.

The logic setting sign_redirect and sign_post does not properly handle the three-state aspects
that sign has with None mixed True and False.

Python evalutes `None and <any value>` as None, so as a result,
None gets passed forboth sign_redirect and sign_post.

However, None is interpreted by Entity._message as "sign if self.should_sign".

As a result, for Redirect binding, the authentication request gets signed
both in XML and in HTTP parameter (recurrence of IdentityPython#819).

Fix this by passing an explicit False for exactly one of the branches
(sign_post for REDIRECT binding and sign_redirect for all other bindings),
passing through value of `sign` for the other branch.
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: prep_for_nego_auth: avoid double signing redirect requests REANNZ/pysaml2
2 participants
@c00kiemon5ter @vladimir-mencl-eresearch