Closed pakomp closed 3 years ago
The FusionAuth SAML IdP allows you to modify the signature method.
Applications > Edit > SAML > Authentication Response > Signature canonicalization method
Have you tried modifying this configuration value?
That helped a bit, now it doesnt like that samlResponse.assertion.subject.confirmation.notBefore is set since the spec at http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf line 554 says only NotOnOrAfter should be set and MUST NOT contain NotBefore.
Ok, we’ll take a look.
If changing any defaults would cause a major version break, maybe the SAML v2 populate lambda could support setting samlResponse.assertion.subject.confirmation.notBefore to null for it to be removed from the response.
Might allow for customization against other SPs also for other fields if needed in the future.
Here is the same spec in the updated version with errata, but the this same statement exists.
Lines 633 and 644
It MUST NOT contain a
NotBefore
attribute.
Linked issue : https://github.com/FusionAuth/fusionauth-samlv2/issues/4
This should be fixed in 1.28.0. @pakomp let us know if you are still experiencing issues.
ADFS SP support
Problem
When trying to use ADFS as a SAML2 SP it can't handle the "http://www.w3.org/2001/10/xml-exc-c14n#WithComments" transform FusionAuth uses in it's SAMLResponse.
Solution
Is there anyway to make FusionAuth use "http://www.w3.org/2001/10/xml-exc-c14n#" instead? Either with an App->Saml option or something we can set in the Populate lambda?