Force SP to sign SOAP messages

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Force SP to sign SOAP messages

David Sommer
Hi,

I want to force the SP to always sign SOAP messages sent via backchannel
for the HTTP-Artifact binding.

I used signing="true" in the ApplicationDefaults but the SP still sent
the message unsigned, so i suspected that this setting gets overridden
somewhere.
The login flow is initiated by a custom SessionInitiator and returns
back to the SP on a AssertionConsumerService using HTTP-Artifact binding.
However, the ArtifactResolve message sent out is unsigned.
I also tried to add signing="true" to the AssertionConsumerService (in
shibboleth2.xml), but that gave a parser error, even though
https://wiki.shibboleth.net/confluence/display/SP3/SAML+2.0+AssertionConsumerService
makes it look like this is actually allowed.

Cheers,

David


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Force SP to sign SOAP messages

Cantor, Scott E.
On 1/6/20, 11:14 AM, "users on behalf of David Sommer" <[hidden email] on behalf of [hidden email]> wrote:

> I used signing="true" in the ApplicationDefaults but the SP still sent
> the message unsigned, so i suspected that this setting gets overridden somewhere.

I believe that works but I would have to dig into the code to follow it through, so short of filing a bug and waiting an unknown number of weeks for answer, that's about all I can say. Assuming you're a non-member anyway.

> The login flow is initiated by a custom SessionInitiator and returns
> back to the SP on a AssertionConsumerService using HTTP-Artifact binding.

There's little chance you need a custom SessionInitiator for that, but that's not too relevant.

> I also tried to add signing="true" to the AssertionConsumerService (in
> shibboleth2.xml), but that gave a parser error, even though

You shouldn't have an AssertionConsumerService, you'd be very unlikely not to break the SP trying to do all that. Adding signing="true" to the <SSO> element would be another possible way to do it, which obviously limits it to SSO and not logout.

Doing it in an ACS element requires a namespace prefix (conf:signing usually) because that element is from SAML's schema and has to be worked around to pass it custom settings.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Force SP to sign SOAP messages

David Sommer
> You shouldn't have an AssertionConsumerService, you'd be very unlikely not to break the SP trying to do all that. Adding signing="true" to the <SSO> element would be another possible way to do it, which obviously limits it to SSO and not logout.
I haven't found a way to make <SSO> use HTTP-Artifact, therefore the SessionInitiator. Is there a way to use <SSO> if i want the IdP to send the <Response> by artifact?


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Force SP to sign SOAP messages

Cantor, Scott E.
On 1/6/20, 12:29 PM, "users on behalf of David Sommer" <[hidden email] on behalf of [hidden email]> wrote:

> I haven't found a way to make <SSO> use HTTP-Artifact, therefore the SessionInitiator. Is there a way to use <SSO> if i
> want the IdP to send the <Response> by artifact?

That's a matter of metadata in some sense; if you only want artifact support, you'd update your metadata and edit protocols.xml to adjust the auto-wiring by commenting out the bindings you don't want.

Doing both at once is, I think, most easily done by adjusting the order of the bindings in that file, but that's also going from memory. It couldn't hurt to try it.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Force SP to sign SOAP messages

David Sommer
> That's a matter of metadata in some sense; if you only want artifact support, you'd update your metadata and edit protocols.xml to adjust the auto-wiring by commenting out the bindings you don't want.
This worked, but didn't fix the issue, unfortunately. I suspect that the
sp might be unable to sign the message unsigned and simply sends it
unsigned. However the logs show no such error, even when raising
log4j.category.XMLTooling.Signature.Debugger to DEBUG. Is there another
way to determine if the SP fails to sign messages or to even force the
sp to not send messages at all when failing to sign them?

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Force SP to sign SOAP messages

Cantor, Scott E.
On 1/6/20, 2:42 PM, "users on behalf of David Sommer" <[hidden email] on behalf of [hidden email]> wrote:

> This worked, but didn't fix the issue, unfortunately. I suspect that the
> sp might be unable to sign the message unsigned and simply sends it
> unsigned.

That would be my assumption.

>  However the logs show no such error, even when raising
> log4j.category.XMLTooling.Signature.Debugger to DEBUG.

If it can't sign, the error is nowhere near that location in the log or in that category, it's a startup issue with the key.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Force SP to sign SOAP messages

Cantor, Scott E.
Though to be fair, if it's told it should sign, and can't, that's going to be logged at WARN. So that's not what it is, if that's not happening.

That doesn't leave anything obvious I can think of.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Force SP to sign SOAP messages

David Sommer
> That doesn't leave anything obvious I can think of.

Okay, thank you anyway.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]