-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support signed assertions #45
base: master
Are you sure you want to change the base?
Conversation
b72b69b
to
1afa8d7
Compare
I haven't had the time to review this yet, but I hope to be able to do so by the end of the coming weekend at the latest. Thank you as always for your contributions and patience! 🙇🏽 |
src/Network/Wai/SAML2/Validation.hs
Outdated
let docMinusSignature = removeSignature responseXmlDoc | ||
docMinusSignature <- removeSignature <$> case responseSignature samlResponse of | ||
Just _ -> pure responseXmlDoc | ||
-- if a response signature is not present, assume that the assertion contains the signature |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When both response signature and an assertion signature are present, we could technically validate both, but I'm not sure if anyone really wants to do that
1afa8d7
to
c5ffca8
Compare
ba8e651
to
e43f0e4
Compare
@mbg Sure. I refactored the implementation for more clarity |
e43f0e4
to
39b31bc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As always, thank you for the good work on this library! I have a few comments/questions, but generally this looks sensible.
@@ -3,6 +3,7 @@ | |||
## 0.7 | |||
|
|||
- Replaced `x509Certificate` with `x509Certificates` in `IDPSSODescriptor` so that it may have more than one certificate ([#65](https://github.com/mbg/wai-saml2/pull/65) by [@fumieval](https://github.com/fumieval)) | |||
- Support signed assertions, not just signed responses by ([#45](https://github.com/mbg/wai-saml2/pull/45) by [@fumieval](https://github.com/mbg/wai-saml2)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Support signed assertions, not just signed responses by ([#45](https://github.com/mbg/wai-saml2/pull/45) by [@fumieval](https://github.com/mbg/wai-saml2)) | |
- Support signed assertions, not just signed responses ([#45](https://github.com/mbg/wai-saml2/pull/45) by [@fumieval](https://github.com/fumieval)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I am happy for you to keep this as is.
Just _ -> validateSAMLResponseSignature cfg responseXmlDoc samlResponse now | ||
Nothing -> validateSAMLAssertionSignature cfg responseXmlDoc samlResponse now | ||
|
||
validateSAMLResponseSignature :: SAML2Config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to add a docs comment for this function summarising what it does.
|
||
validateSAMLPreliminary cfg samlResponse | ||
|
||
case responseSignature samlResponse of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am wondering to what extent the path that's taken here should be up to the contents of the response? Rather than picking this based on whether there's a responseSignature
present, would it make sense to instead have a setting in SAML2Config
that determines which path we take here?
assertion <- case responseAssertion samlResponse of | ||
Just a -> pure a | ||
_ -> throwError $ InvalidResponse $ userError "Assertion is required" | ||
|
||
signature <- case assertionSignature assertion of | ||
Just a -> pure a | ||
_ -> throwError $ InvalidResponse $ userError "Assertion signature is required" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be more consistent to have more constructors in the SAML2Error
type for these errors than to use InvalidResponse
with userError
.
, documentRoot = node | ||
, documentEpilogue = [] | ||
} | ||
_ -> throwError $ InvalidResponse $ userError "Assertion is required" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error message should probably say something else?
Summary
At the moment, wai-saml2 validates signed responses, but not signed assertions. This might cause an error when the identity provider signs assertions only (by default AzureAD does not sign responses).
This change adds support for signed assertions; when a signature for the response is present, it validates the response. If this is missing, it validates the signature for the assertion instead.
Checklist
@since
annotations.