Validate asserting party metadata signature #12116
Assignees
Labels
Milestone
Comments
palakova
added
status: waiting-for-triage
|
I think this sounds reasonable, though it would likely involve making It might change to something like |
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
May 22, 2024
This adds the RelyingPartyRegistrationsDecoder component which allows configuration with signature verification credentials. It also introduces a caching RelyingPartyRegistration implementation that uses it. Issue spring-projectsgh-12116
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jun 29, 2024
This adds the RelyingPartyRegistrationsDecoder component which allows configuration with signature verification credentials. It also introduces a caching RelyingPartyRegistration implementation that uses it. Issue spring-projectsgh-12116
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 2, 2024
This adds the RelyingPartyRegistrationsDecoder component which allows configuration with signature verification credentials. Closes spring-projectsgh-12116 Closes spring-projectsgh-15017 Closes spring-projectsgh-15090
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 2, 2024
This adds the RelyingPartyRegistrationsDecoder component which allows configuration with signature verification credentials. Closes spring-projectsgh-12116 Closes spring-projectsgh-15017 Closes spring-projectsgh-15090
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 2, 2024
This adds the RelyingPartyRegistrationsDecoder component which allows configuration with signature verification credentials. Closes spring-projectsgh-12116 Closes spring-projectsgh-15017 Closes spring-projectsgh-15090
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 2, 2024
This adds the RelyingPartyRegistrationsDecoder component which allows configuration with signature verification credentials. Closes spring-projectsgh-12116 Closes spring-projectsgh-15017 Closes spring-projectsgh-15090
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 11, 2024
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 11, 2024
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 11, 2024
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 14, 2024
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 19, 2024
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 19, 2024
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Jul 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Various elements in metadata can be digitally signed. Although signatures are optional, according to SAML specification, section 4.3.3.2 Processing Signed Documents and Fragments, "Metadata consumers MUST validate signatures, when present."
Expected Behavior
Similar as the previous Spring Security SAML Extension implementation:
Enable to submit a collection of public keys via configuration (e.g. as a part of RelyingPartyRegistration) and verify signature(s) in IdP metadata using PKIX algorithm and using the provided public keys as trust anchors.
Current Behavior
I believe metadata signature is not verified. I did not find any way to enable this behaviour.
Context
Adding metadata signature increases security and conforms to SAML 2.0 specification.
As an example, Azure AD signs the root
<EntityDescriptor>element of it's metadata.The text was updated successfully, but these errors were encountered: