I appreciate that this probably isn’t really a ComponentSpace problem, but I would have expected other people to have hit the same issue. Maybe this thread will help others…
My system acts as an IdP and asserts to a SP using the SimpleSAMLphp software. The issue appears to be when an encrypted assertion is decrypted and then the contained signature is verified.
After much (painful) debugging I found that at some point during the processing of the SAML message (after it’s sent to the SP), the inclusivenamespaces element appears to be altered so that the xmlns attribute comes before the PrefixList attribute.
Since the order of the attributes is changed after the digest value is generated by ComponentSpace, their verification fails due to the hash being different.
I’ve never seen this on any integration with other 3rd parties, so I suspect the issue is a simpleSAMLphp one, however I’m interested in thoughts and possible workarounds that you may know of?
Thanks.
If possible, please try the following test scenarios.
1. Sign but don’t encrypt the SAML assertion.
2. Encrypt the SAML assertion but sign the SAML response not the assertion.
Does SimpleSAMLphp successfully verify the signature in these scenarios?
If so and you require the SAML assertion to be encrypted then perhaps signing the SAML response is a reasonable workaround.
Encrypting the SAML assertion normally is only required if it contains particularly sensitive user information.
Typically HTTPS transport level security is sufficient.
Thanks for the reply. I tried pretty much all of your suggestions with varying degrees of success. Ultimately I think our solution will be to simply sign the assertion, which gives any relying party confidence that the assertion isn’t tampered with. My concern is that we do add potentially sensitive plaintext information to the assertion’s attributes, so encryption would have been preferred.
As a side note, and for anyone looking for similar issues, I found the exact problem is documented in a stack overflow post from 2 years ago. It’s still an issue with their product!
https://stackoverflow.com/questions/28145726/proper-xml-canonicalization-for-saml
Thanks
Thank you for the link.
Just to clarify, SimpleSAMLphp is an open source project rather than a product.
If you’re really keen, you could open an issue via their support page or perhaps ask the SP to do so.
https://github.com/simplesamlphp/simplesamlphp/issues