How to have a SAML request/response signed using Spring Security SAML extension

5.1k views Asked by At

I was able to have my application act as a SP with the IDP SSOCIRCLE using the Spring Security SAML extension. My customer has the following requirements:

1. Have the assertion signed: The assertion sent from the IDP is signed and it is working fine.

2. Have the request/response signed: When using SSO Circle to generate the metadata file. I selected the option AuthnRequestsSigned to true. I uploaded my SP metadata to the SSO Circle IDP. The SP metadata had the following values as true: AuthnRequestsSigned & WantAssertionsSigned. When running the application neither my request nor the response I get are signed.

I am having issues to have the second requirement done. I am new to SAML and to Security in general. What am I missing here?

UPDATE

After taking into consideration Vladimir's comments. I changed my binding to HTTP-Post, so now I am sending the SAML Request with the signature shown. I was able to send the request signed using my private key(not the one provided by the sample project) by doing the following:

  1. Create a keystore, CSR, and a public key certificate using the keygen tool.
  2. Update the Digital Signature section in my SP metadata file to have the new certificate
  3. Remove the old SP metadata file from IDP SSOCIRCLE and add the new SP metadata file
  4. Change spring configurations to have the JKSKeyManager to use the new keystore I created with the new alias and password.

What I need to do now is to have the IDP(SSOCIRCLE) send the response where a. The response is signed b. The assertion is signed

How can that be achieved? what changes do I need to do to handle that, given that the signing of the response should be different than the signing of the assertion. Thanks.

1

There are 1 answers

0
Vladimír Schäfer On

HTTP-Redirect binding requires that any ds:Signature element present on the SAML message itself is removed before sending of the message:

Any signature on the SAML protocol message, including the XML element itself, MUST be removed. Note that if the content of the message includes another signature, such as a signed SAML assertion, this embedded signature is not removed. However, the length of such a message after encoding essentially precludes using this mechanism. Thus SAML protocol messages that contain signed content SHOULD NOT be encoded using this mechanism. (saml2-bindings, 578-582, copy pasted from PDF)

At the same time HTTP-Redirect binding requires that a new digital signature is attached to the GET URL as parameter Signature.

This means that with HTTP-Redirect you cannot send message with Signature on message level, instead the signature is added to the URL. Therefore the whole message sent from Spring SAML to IDP is signed (check it from the data sent from the SP).

There is no standard way to force IDP to send the Response message signed on message level in addition to including signature in the assertion. In case you're using SSL/TLS the authenticity and non-repudiation of the message (characteristics of digital signatures) is provided by transport layer.