SAML Signature Validation shortcommings

[Janfred]

Describe the bug When connected to a Shibboleth IdP (not sure yet if applicable for all Shibboleth IdPs or only this specific one), the signature validation fails.

After reading the source code of authentik this was traced back to this issue:

The verification code expects the signature to be located at a specific xpath:

https://github.com/goauthentik/authentik/blob/026e80bd10be43df1e9bad96a63e85271b28c4c9/authentik/sources/saml/processors/response.py#L82-L86

The SAML specification allows this signature to be located at a higher anchor, which is the case for the SAML Response we get from our IdP. (/samlp:Response/ds:Signature instead of /samlp:Response/saml:Assertion/ds:Signature)

Further Reference: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf , Section 5.3 Signature Inheritance

A SAML assertion may be embedded within another SAML element, such as an enclosing or a request or response, which may be signed. When a SAML assertion does not contain a element, but is contained in an enclosing SAML element that contains a element, and the signature applies to the element and all its children, then he assertion can be considered to inherit the signature from the enclosing element. The resulting interpretation should be equivalent to the case where the assertion itself was signed with the same key and signature options.

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.