Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Enhancing signature validation in SAML Response#144

Closed
himran92 wants to merge 5 commits intomainfrom
himran92-enhance-signature-validation-for-saml-response
Closed

Enhancing signature validation in SAML Response#144
himran92 wants to merge 5 commits intomainfrom
himran92-enhance-signature-validation-for-saml-response

Conversation

@himran92
Copy link
Contributor

@himran92 himran92 commented Nov 28, 2024
edited
Loading

The SAML protocol allows signing of a Response, its Assertion(s), neither, or both. Since Assertion(s) are sub-elements of a Response, they are signed if the Response is signed. Today we are depending on the gosaml2 for signature validation. It only checks only one or the other be signed.
For security reasons, we would like to move towards always requiring both to be signed.

Changes in PR include:

  1. enhancing SAML response to validate both Response & Assertion signature
  2. extending provider to allow signing Response or Assertion as controlled by parameters
  3. extending tests to cover these cases

Points blocking merge:

  1. Thinking if we need to manually test this. Is there any test account that hashicorp uses for SAML identity provider?
  2. Will a /cap release needs to be manually cut after making any change to library?
  3. We expect that both should be always signed but still checking with team if we consider this as breaking change

@himran92
adding signature for assertion in saml provider, enhancing validation…
c0e0eb0 
… on signature for saml response & extending tests
@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Nov 28, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Nov 28, 2024

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

@himran92 himran92 marked this pull request as ready for review November 28, 2024 17:59
@himran92 himran92 requested a review from jimlambrt as a code owner November 28, 2024 17:59
@himran92 himran92 requested a review from benashz November 28, 2024 18:00
@himran92 himran92 closed this Nov 29, 2024
@himran92 himran92 deleted the himran92-enhance-signature-validation-for-saml-response branch November 29, 2024 17:14
jimlambrt pushed a commit that referenced this pull request Dec 30, 2024
@himran92
Enhancing signature validation in SAML Response #144 (#145)
52eae09 
* adding signature for assertion in saml provider, enhancing validation on signature for saml response & extending tests

* remove duplicate tests

* linting done

* small cleanup + small fix to test

* add helping comment

* use cap/saml response types

* making validation of signature of both fields as optional and adding unit tests to cover

* changes to inlcude more validateSignature options for SAML

* improving / fixing  comments and var names

* improving / fixing  comments and var names

* improving variable name

* add validation to only allow one validateSignature option at one time

* removing validateBothSignature option

* Merge branch 'main' into VAULT-27387/himran92-enhance-signature-validation-for-saml-response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jimlambrt jimlambrt Awaiting requested review from jimlambrt

@benashz benashz Awaiting requested review from benashz

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@himran92

Comments