Closed martin-lindstrom closed 6 years ago
Possible solutions?
The first one is obvious, but probably not acceptable. We restrict the usage of SAD:s by banning Proxy-IdP solutions from supporting SADRequest messages.
Next. Can we require that Signature Service to obtain the metadata from the "real" IdP that issued the SAD? And if so, it should be able to verify the signature. But we don't even now if they are in the same federation, so this is not probably the way to go. Furthermore, it will not aid the Signature Service is succeeding with the other checks.
What if we require Proxy-IdP:s wanting to support the SAD/SAP specification to issue a proxy-SAD?
If the Proxy-IdP promises to verify a received SAD (the 8 checks above), it should be able to wrap the original SAD into a Proxy-SAD which can be verified by the Signature Service. The original SAD would still be there for proof. We would need to add an extra field to the seElnSadext
claim - proxiedSad
.
SAD verification is done is a tamper resistent environment. It is therefore important that the SAD itself is simple and can be validate using fairly simple process.
I suggest a small change to the specification.
If a proxy is used, the original SAD request is also proxied to the upstream IdP, preserving the SRID.
Add a new "Proxy section" stating that:
With these changes, all of the validation steps will pass even if proxy is used.
Update after discussion today:
The SAD specified in Signature Activation Protocol for Federated Signing is supposed to be verified by the recipient (i.e., an Signature Service). The Signature Service does that by performing the following steps:
aud
(audience) claim equals the SAML entityID of the Signature Service.iss
(issuer) contains the entityID of the issuing IdP.exp
andiat
claims.irt
(in response to) extension claim holds the ID of theAuthnRequest
containing theSADRequest
that the Signature Service sent to the IdP.reqid
corresponds to the ID of the SignRequest that led to this communication.sub
andattr
) matches an attribute from the receivedAssertion
.loa
claim matches what was received in theAssertion
.Suppose that the Signature Service communicates with a Proxy Service, P, that proxies the request to an IdP, X, that performs the user authentication, displaying of SignMessage and issuance of the SAD. The Proxy, P, will when it receives the SAML response from the IdP, create a new
Assertion
, include attributes issued from P, sign it with its own key and return the response to the Signature Service.Now. Since the SAD attribute is proxied, the Signature Service will run into problems when verifying the SAD.
aud
claim to the entityID of the requester, which is the Proxy IdP.AuthnRequest
(with another ID) when communicating with the X IdP.