Closed acothenet closed 1 month ago
jzheaux
commented
1 month ago Hi, @acothenet, what you are describing is already supported. If all the assertions are signed, then it will proceed with authentication. I believe what you are experiencing is that you may have an encrypted unsigned response, which Spring Security does not support.
If it sounds like I'm mistaken, will you please provide a minimal GitHub sample that reproduces the issue?
spring-projects-issues
commented
1 month ago If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
acothenet
commented
1 month ago Hi, @acothenet, what you are describing is already supported. If all the assertions are signed, then it will proceed with authentication. I believe what you are experiencing is that you may have an encrypted unsigned response, which Spring Security does not support.
If it sounds like I'm mistaken, will you please provide a minimal GitHub sample that reproduces the issue?
Indeed, that concerns unsigned responses but with encrypted assertions. I managed to handle it with a custom configuration but would be nice if spring security would handle it :)
Describe the bug When the response is not signed but assertions are signed, an error is thrown.
To Reproduce Configure an IDP (here I used onelogin) to sign only assertions (not response). The error Saml2AuthenticationException is thrown with message :
'Did not decrypt response [xxx] since it is not signed'Expected behavior No exception should be thrown if assertions are all signed.
some insight The concerned code is OpenSaml4AuthenticationProvider. It seems to me it should be instead:
We are currently working with the latest 5.8.x version. Thank you :)