SnippetWe recently had a penetration test performed on our site. There was a vulnerability reported in that a SAML Assertion was valid if the Signature block is removed. I would have assumed that the ISamlServiceProvider ReceiveSsoAsync would validate a SAML Response. Can you recommend an approach where I can validate if the Response contains the Signature block?
Unless you explicitly turn off signature verification through the SAML configuration, we expect either the SAML response or SAML assertion to be signed and for that signature to verify.
If the SAML assertion signature block was removed this would invalidate the SAML response signature, if any.
Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace
SnippetIn case anyone else landed on this post, it was a configuration setting on our end. We assumed that the WantAssertionOrResponseSigned would handle verifying the Assertion signature, however that wasn't the case. Adding WantSAMLResponseSigned and WantAssertionSigned options solved the problem.
Thanks for the update.
These flags are defined in our Configuration Guide.
WantAssertionOrResponseSigned requires either the SAML assertion or SAML response to be signed and successfully verified. If neither is signed or verifies we throw an exception. This flag defaults to true as this is the most common use case.
However, if required you can explicitly specify you want the SAML response or SAML assertion signed using the WantSAMLResponseSIgned and WantAssertionSigned flags.