SAML Authentication doesn't fail when the Digest & Signature Algorithms are different.

KasunK · June 18, 2017, 8:21pm

I am creating a STS using Identity Server 4 and i have also created a middleware component using ComponentSpace SAML for ASP.Net core to authenticate external SAML Authentication providers such as ADFS. I have created a Mock External SAML IdP for testing purposes so that i can change the SAML Sp configurations as i need it. In the Auth Server (created using IdentityServer 4 and SAML) I am loading the SAML IdP Configurations from the database. Just before calling _samlServiceProvider.InitiateSsoAsync() i am setting the correct SAML configuration id using _samlServiceProvider.SetConfigurationIDAsync() method. The implementation works without any issues. I can authenticate SAML users and coming from the Mock SAML IdP.

During testing i have change the SAML Configuration related to Auth Server, to use SHA384 for Digest and Signature algorithms, and kept the Digest & Signature algorithms as SHA256 it is for the SAML IdP configuration in the Auth Server side. Then when i tried to login using the SAML External IdP, the login was successful. I was expecting that since the Signature & Digest algorithms are different the authentication should fail. But it didn’t, what seems to be the problem?

ComponentSpace · June 18, 2017, 10:50pm

The DigestAlgorithm and SignatureAlgorithm refer to the algorithms to use when generating signatures.
If you wish to place constraints on the digest and signature algorithms of received signatures, you need to specify WantDigestAlgorithm and WantSignatureAlgorithm.
For example:

“PartnerIdentityProviderConfigurations”: [
{
“Name”: “<a href=“http://ExampleIdentityProvider”,”>http://ExampleIdentityProvider",
“Description”: “Example Identity Provider”,
“SignAuthnRequest”: true,
“WantSamlResponseSigned”: true,
“WantAssertionSigned”: false,
“WantAssertionEncrypted”: false,
“WantDigestAlgorithm”: "<a href=“http://www.w3.org/2001/04/xmldsig-more#sha384",">http://www.w3.org/2001/04/xmldsig-more#sha384”,
“WantSignatureAlgorithm”: "<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",">http://www.w3.org/2001/04/xmldsig-more#rsa-sha384”,
“SingleSignOnServiceUrl”: "<a href=“http://localhost:56349/SAML/SingleSignOnService",">http://localhost:56349/SAML/SingleSignOnService”,
“SingleLogoutServiceUrl”: "<a href=“http://localhost:56349/SAML/SingleLogoutService",">http://localhost:56349/SAML/SingleLogoutService”,
“PartnerCertificates”: [
{
“FileName”: “certificates/idp.cer”
}
]
}
]

KasunK · June 18, 2017, 10:55pm

Thank you. I will do the necessary modifications.

ComponentSpace · June 18, 2017, 10:58pm

You’re welcome.

KasunK · June 18, 2017, 11:18pm

What i have done at the moment is Set the DigestAlgorithm and SignatureAlgorithm for the appropriate signature value. For example;

“PartnerIdentityProviderConfigurations”: [
{
“Name”: “<a href=“http://exampleidentityprovider/” ,”=“” title=“http://ExampleIdentityProvider” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-weight: normal; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://ExampleIdentityProvider”,“>http://ExampleIdentityProvider”,
“Description”: “Example Identity Provider”,
“SignAuthnRequest”: true,
“WantSamlResponseSigned”: true,
“WantAssertionSigned”: false,
“WantAssertionEncrypted”: false,
“DigestAlgorithm”: “<a href=“http://www.w3.org/2001/04/xmldsig-more#sha384” ,”=“” title=“http://www.w3.org/2001/04/xmldsig-more#sha384” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://www.w3.org/2001/04/xmldsig-more#sha384",">http://www.w3.org/2001/04/xmldsig-more#sha384”,
“SignatureAlgorithm”: “<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384” ,”=“” title=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",">http://www.w3.org/2001/04/xmldsig-more#rsa-sha384”,
“SingleSignOnServiceUrl”: “<a href=“http://localhost:56349/SAML/SingleSignOnService” ,”=“” title=“http://localhost:56349/SAML/SingleSignOnService” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-weight: normal; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://localhost:56349/SAML/SingleSignOnService",">http://localhost:56349/SAML/SingleSignOnService”,
“SingleLogoutServiceUrl”: “<a href=“http://localhost:56349/SAML/SingleLogoutService” ,”=“” title=“http://localhost:56349/SAML/SingleLogoutService” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-weight: normal; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://localhost:56349/SAML/SingleLogoutService",">http://localhost:56349/SAML/SingleLogoutService”,
“PartnerCertificates”: [
{
“FileName”: “certificates/idp.cer”
}
]
}
]

So If i want to enforce the use of certain algorithm for Signature and Digest, Just have WantSignatureAlgorithm and WantDigestAlgorithm properties set to the appropriate algorithm or should i have both SignatureAlgorithm & WantSignatureAlgorithm (same for Digest Algorithm) properties set. For example:

“PartnerIdentityProviderConfigurations”: [
{
“Name”: “<a href=“http://exampleidentityprovider/” ,”=“” title=“http://ExampleIdentityProvider” target=“_blank” style=“font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); text-align: left; white-space: pre; text-decoration: underline !important;”><a href=“http://ExampleIdentityProvider”,“>http://ExampleIdentityProvider”,
“Description”: “Example Identity Provider”,
“SignAuthnRequest”: true,
“WantSamlResponseSigned”: true,
“WantAssertionSigned”: false,
“WantAssertionEncrypted”: false,
“DigestAlgorithm”: “<a href=“http://www.w3.org/2001/04/xmldsig-more#sha384” ,”=“” title=“http://www.w3.org/2001/04/xmldsig-more#sha384” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://www.w3.org/2001/04/xmldsig-more#sha384",">http://www.w3.org/2001/04/xmldsig-more#sha384”,
“WantDigestAlgorithm”: “<a href=“http://www.w3.org/2001/04/xmldsig-more#sha384” ,”=“” title=“http://www.w3.org/2001/04/xmldsig-more#sha384” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://www.w3.org/2001/04/xmldsig-more#sha384",">http://www.w3.org/2001/04/xmldsig-more#sha384”,
“SignatureAlgorithm”: “<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384” ,”=“” title=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",">http://www.w3.org/2001/04/xmldsig-more#rsa-sha384”,
“WantSignatureAlgorithm”: “<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384” ,”=“” title=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384” target=“_blank” style=“margin: 0px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: pre; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: underline !important;”><a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",">http://www.w3.org/2001/04/xmldsig-more#rsa-sha384”,
“SingleSignOnServiceUrl”: “<a href=“http://localhost:56349/SAML/SingleSignOnService” ,”=“” title=“http://localhost:56349/SAML/SingleSignOnService” target=“_blank” style=“font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); text-align: left; white-space: pre; text-decoration: underline !important;”><a href=“http://localhost:56349/SAML/SingleSignOnService",">http://localhost:56349/SAML/SingleSignOnService”,
“SingleLogoutServiceUrl”: “<a href=“http://localhost:56349/SAML/SingleLogoutService” ,”=“” title=“http://localhost:56349/SAML/SingleLogoutService” target=“_blank” style=“font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; margin: 0px; padding: 0px; border: 0px; font-variant-numeric: inherit; font-stretch: inherit; font-size: 13.3333px; line-height: inherit; vertical-align: baseline; color: rgb(69, 195, 211); text-align: left; white-space: pre; text-decoration: underline !important;”><a href=“http://localhost:56349/SAML/SingleLogoutService",">http://localhost:56349/SAML/SingleLogoutService”,
“PartnerCertificates”: [
{
“FileName”: “certificates/idp.cer”
}
]
}
]

ComponentSpace · June 18, 2017, 11:52pm

The DigestAlgorithm and SignatureAlgorithm only apply when generating signatures.
In your case, SignAuthnRequest is true so the SAML authn request sent to the partner IdP as part of SP-initiated SSO will be signed using the configured algorithms.
If you don’t specify a DigestAlgorithm and SignatureAlgorithm they default to SHA-256.
The WantDigestAlgorithm and WantSignatureAlgorithm only apply when verifying signatures.
In your case, WantSamlResponseSigned is true so the SAML response signature received from the IdP must match the algorithms specified by WantDigestAlgorithm and WantSignatureAlgorithm.
If you don’t specify a WantDigestAlgorithm and WantSignatureAlgorithm they default to accepting any signature algorithms.
DigestAlgorithm and WantDigestAlgorithm are unrelated. Similarly, SignatureAlgorithm and WantSignatureAlgorithm are unrelated.
If you want to enforce the algorithms for received signatures then set WantDigestAlgorithm and WantSignatureAlgorithm.
The DigestAlgorithm and SignatureAlgorithm won’t affect the checking of the received algorithms.

KasunK · June 18, 2017, 11:59pm

Thanks, That cleared things up a lot.

ComponentSpace · June 19, 2017, 12:17am

You’re welcome.