[9.1.0] SAML SSO with ADFS: Signature validation failed - Signing Certificate rotation

[stumbaumr]

Important Details

How are you running Sentry?

• [X] On-Premise docker [9.1.0]

Description

I connected our onpremise sentry with our Active Directory using Active Directory Federation Services (ADFS) which provides also SAML2. Every year the ADFS creates a new signing certificate and for some time sends both certificates in the response. Some applications see the new certificate and import the fingerprint or public key into their config automatically, some not.

Sentry seems to be on the not side... so now authentication does not work, since the old certificate became invalid and the new one has not been accepted.

Steps to Reproduce

1. Configure SSO auth with AD using SAML and ADFS
2. Wait until the old Signing certificate expires (usually one year)...
3. See the following error message "Authentication error: SAML SSO failed, Signature validation failed. SAML Response rejected" after trying to log on.

Good items to include here include:

• Include a stacktrace or other logs when relevant

  <samlp:Response ID="_1686a1f4-584a-4e0b-a76d-5c57dca26c2f"
              Version="2.0"
              IssueInstant="2020-03-17T09:00:07.651Z"
              Destination="https://sentry.contoso.com/saml/acs/contoso/"
              Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
              InResponseTo="ONELOGIN_e1c0083da9c3260258ab4de4370931354c2b9c31"
              xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://bgdc1po-adfs1-farm.ad.contoso.com/adfs/services/trust</Issuer>
  <samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>
  <Assertion ID="_2ae3a919-e756-411a-afb7-ea4f457dbbdc"
           IssueInstant="2020-03-17T09:00:07.651Z"
           Version="2.0"
           xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
  <Issuer>http://bgdc1po-adfs1-farm.ad.contoso.com/adfs/services/trust</Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <ds:Reference URI="#_2ae3a919-e756-411a-afb7-ea4f457dbbdc">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
        <ds:DigestValue>UtO8+Bu3EYdO9d3JlKAylqgMB1UlyW7CvXmQ51Yk80I=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
  VPR2FAzixSwi8GYGn3Py8svlYbvyfaHOBG7eYdK0Tg6o8uUdrp0acNAgiHKH0krrs1wGJwLVubOXSnRBLkDUFn+UahM1XKPHKgJHaAmOoADHP3miZ2P3GFtkd/R7eLw3v9a3pAHHawMnScDck8vcvXBpxiOZz7OKQkC77oTipsaOgSZPgndBftnNEZfYRI3wDAcHAs80LjuwBUhjblQq+PlAPfL3p3qn3lrGhKHsExfd/KcZMIs+fEjezbh6Z3CsGVTm4BKWMZeH3CJMXLkrAlZfrEPJECAojr33yeR9UnSTcD31ytl9SSQW728/OMqs9a3ZIOWhZweZWe8F0LSqmA==
  </ds:SignatureValue>
    <KeyInfo
    xmlns="http://www.w3.org/2000/09/xmldsig#">
      <ds:X509Data>
        <ds:X509Certificate>
  [[The new certificate that sentry does not know about…]]
  </ds:X509Certificate>
      </ds:X509Data>
      </KeyInfo>
  </ds:Signature>
  <Subject>
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">rstumbaum@contoso.com</NameID>
    <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <SubjectConfirmationData InResponseTo="ONELOGIN_e1c0083da9c3260258ab4de4370931354c2b9c31"
                               NotOnOrAfter="2020-03-17T09:05:07.651Z"
                               Recipient="https://sentry.contoso.com/saml/acs/contoso/" />
    </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2020-03-17T09:00:07.635Z"
              NotOnOrAfter="2020-03-17T10:00:07.635Z">
    <AudienceRestriction>
      <Audience>https://sentry.contoso.com/saml/metadata/contoso/</Audience>
    </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
      <AttributeValue>rainer.stumbaum@contoso.com</AttributeValue>
    </Attribute>
    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
      <AttributeValue>Rainer</AttributeValue>
    </Attribute>
    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
      <AttributeValue>Stumbaum</AttributeValue>
    </Attribute>
    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
      <AttributeValue>rstumbaum@contoso.com</AttributeValue>
    </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2020-03-17T08:35:53.255Z"
                  SessionIndex="_2ae3a919-e756-411a-afb7-ea4f457dbbdc">
    <AuthnContext>
      <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
    </AuthnContext>
  </AuthnStatement>
  </Assertion>
  </samlp:Response>

What you expected to happen

The roll over of the signing certificate should be automatic.

Possible Solution

As soon as the SAML reponse includes more than one certificate import the newer one into the SAML settings. So basically this in an automated fashion: https://aws.amazon.com/de/blogs/security/how-to-set-up-uninterrupted-federated-user-access-to-aws-using-ad-fs/

[maxp1256]

We've the same problem with sentry 10 onpremise. A workaround is to remove the secondary token-signing and encryption certificate:

Get-AdfsCertificate -CertificateType token-signing --note thumbprint from old cert Get-AdfsCertificate -CertificateType token-decrypting --note thumbprint from old cert

Set-ADFSProperties -AutocertificateRollover $false Remove-AdfsCertificate -CertificateType token-decrypting -Thumbprint Remove-AdfsCertificate -CertificateType token-signing -Thumbprint Set-ADFSProperties -AutocertificateRollover $true

[github-actions[bot]]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Accepted, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[BYK]

ping @getsentry/enterprise for triage

[leedongwei]

@stumbaumr Thanks for the detailed report!

[BYK]

@leedongwei I think this is fixed with the recent work on SSO and SAML?