Closed pakomp closed 3 years ago
robotdan
commented
3 years ago The FusionAuth SAML IdP allows you to modify the signature method.
Applications > Edit > SAML > Authentication Response > Signature canonicalization method
Have you tried modifying this configuration value?
pakomp
commented
3 years ago That helped a bit, now it doesnt like that samlResponse.assertion.subject.confirmation.notBefore is set since the spec at http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf line 554 says only NotOnOrAfter should be set and MUST NOT contain NotBefore.
robotdan
commented
3 years ago Ok, we’ll take a look.
pakomp
commented
3 years ago If changing any defaults would cause a major version break, maybe the SAML v2 populate lambda could support setting samlResponse.assertion.subject.confirmation.notBefore to null for it to be removed from the response.
Might allow for customization against other SPs also for other fields if needed in the future.
robotdan
commented
3 years ago Here is the same spec in the updated version with errata, but the this same statement exists.
Lines 633 and 644
It MUST NOT contain a
NotBeforeattribute.
robotdan
commented
3 years ago Linked issue : https://github.com/FusionAuth/fusionauth-samlv2/issues/4
robotdan
commented
3 years ago This should be fixed in 1.28.0. @pakomp let us know if you are still experiencing issues.
ADFS SP support
Problem
When trying to use ADFS as a SAML2 SP it can't handle the "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" transform FusionAuth uses in it's SAMLResponse.
Solution
Is there anyway to make FusionAuth use "http://www.w3.org/2001/10/xml-exc-c14n#" instead? Either with an App->Saml option or something we can set in the Populate lambda?