I've been working with Zendesk support to test FusionAuth's upcoming SAML support with Zendesk. It looks like the signature.rb file is hard-coding the digest validation transforms rather than using what was defined in the <Reference> element.
In our case, we were sending a <Reference> like this:
From my reading of the specification and testing on other platforms, this is allowed. The specification states that 0 or more <Transform> elements can be provided and only those transforms should be used prior to digesting. This is in section 4.4.3.4 (https://www.w3.org/TR/xmldsig-core1/#sec-Transforms).
This would mean that the SAML library should only be removing the <Signature> element prior to digesting. However, the library is also canonicalizing. It also looks like the library is hard-coding an Exclusive without comments canonicalization. It should be using the canonicalization transform from the <Reference> element instead, which could be Inclusive or something else.
The code that is performing the digest check is in signature.rb in the method verify! on line 68.
I've been working with Zendesk support to test FusionAuth's upcoming SAML support with Zendesk. It looks like the
signature.rb
file is hard-coding the digest validation transforms rather than using what was defined in the<Reference>
element.In our case, we were sending a
<Reference>
like this:From my reading of the specification and testing on other platforms, this is allowed. The specification states that 0 or more
<Transform>
elements can be provided and only those transforms should be used prior to digesting. This is in section 4.4.3.4 (https://www.w3.org/TR/xmldsig-core1/#sec-Transforms).This would mean that the SAML library should only be removing the
<Signature>
element prior to digesting. However, the library is also canonicalizing. It also looks like the library is hard-coding an Exclusive without comments canonicalization. It should be using the canonicalization transform from the<Reference>
element instead, which could be Inclusive or something else.The code that is performing the digest check is in
signature.rb
in the methodverify!
on line68
.