libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-4897 SAML Adapter fails to validate signature on assertion

Browse source
This commit is contained in:
Frederik Libert 2017-06-19 18:26:17 +02:00
parent 222541ab5c
commit 63d2d0f7ed
1 changed files with 21 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
View file

@ -364,26 +364,26 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) { if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) {
try { try {
validateSamlSignature(new SAMLDocumentHolder(buildAssertionDocument(responseHolder, assertion)), postBinding, GeneralConstants.SAML_RESPONSE_KEY); if (!AssertionUtil.isSignatureValid(getAssertionFromResponse(responseHolder), deployment.getIDP().getSignatureValidationKeyLocator())) {
} catch (VerificationException e) { log.error("Failed to verify saml assertion signature");
log.error("Failed to verify saml assertion signature", e);
challenge = new AuthChallenge() { challenge = new AuthChallenge() {
@Override @Override
public boolean challenge(HttpFacade exchange) { public boolean challenge(HttpFacade exchange) {
SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.INVALID_SIGNATURE, responseType); SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.INVALID_SIGNATURE, responseType);
exchange.getRequest().setError(error); exchange.getRequest().setError(error);
exchange.getResponse().sendError(403); exchange.getResponse().sendError(403);
return true; return true;
} }
@Override @Override
public int getResponseCode() { public int getResponseCode() {
return 403; return 403;
} }
}; };
return AuthOutcome.FAILED; return AuthOutcome.FAILED;
}
} catch (Exception e) { } catch (Exception e) {
log.error("Error processing validation of SAML assertion: " + e.getMessage()); log.error("Error processing validation of SAML assertion: " + e.getMessage());
challenge = new AuthChallenge() { challenge = new AuthChallenge() {
@ -504,19 +504,16 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
&& Objects.equals(responseType.getStatus().getStatusCode().getValue().toString(), JBossSAMLURIConstants.STATUS_SUCCESS.get()); && Objects.equals(responseType.getStatus().getStatusCode().getValue().toString(), JBossSAMLURIConstants.STATUS_SUCCESS.get());
} }
private Document buildAssertionDocument(final SAMLDocumentHolder responseHolder, AssertionType assertion) throws ConfigurationException, ProcessingException { private Element getAssertionFromResponse(final SAMLDocumentHolder responseHolder) throws ConfigurationException, ProcessingException {
Element encryptedAssertion = org.keycloak.saml.common.util.DocumentUtil.getElement(responseHolder.getSamlDocument(), new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get())); Element encryptedAssertion = DocumentUtil.getElement(responseHolder.getSamlDocument(), new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get()));
if (encryptedAssertion != null) { if (encryptedAssertion != null) {
// encrypted assertion. // encrypted assertion.
// We'll need to decrypt it first. // We'll need to decrypt it first.
Document encryptedAssertionDocument = DocumentUtil.createDocument(); Document encryptedAssertionDocument = DocumentUtil.createDocument();
encryptedAssertionDocument.appendChild(encryptedAssertionDocument.importNode(encryptedAssertion, true)); encryptedAssertionDocument.appendChild(encryptedAssertionDocument.importNode(encryptedAssertion, true));
Element assertionElement = XMLEncryptionUtil.decryptElementInDocument(encryptedAssertionDocument, deployment.getDecryptionKey()); return XMLEncryptionUtil.decryptElementInDocument(encryptedAssertionDocument, deployment.getDecryptionKey());
Document assertionDocument = DocumentUtil.createDocument();
assertionDocument.appendChild(assertionDocument.importNode(assertionElement, true));
return assertionDocument;
} }
return AssertionUtil.asDocument(assertion); return DocumentUtil.getElement(responseHolder.getSamlDocument(), new QName(JBossSAMLConstants.ASSERTION.get()));
} }
private String getAttributeValue(Object attrValue) { private String getAttributeValue(Object attrValue) {