Search code examples
spring-bootresponsesaml-2.0signatureservice-provider

Cannot authenticate SAML because response not have signature block in it

I am using spring-security-saml2-service-provider to implement SAML2 Service Provider. After successful login at IDP page, the browser redirect back to the response page and it show

Did not decrypt response [_424bf243-4853-41d8-b1be-c5c5a2c3a3af] since it is not signed

My response after decrypt is

<samlp:Response ID="_424bf243-4853-41d8-b1be-c5c5a2c3a3af"
            Version="2.0"
            IssueInstant="2024-09-18T10:26:37.723Z"
            Destination="https://[mydomain]/saml/login/saml2/sso/rbportal-dev"
            Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
            InResponseTo="ARQ07866c1-9ac7-43b8-b319-0b3e5dcc599e"
            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.testdev.vpb.com.vn/adfs/services/trust</Issuer>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                </e:EncryptionMethod>
                <KeyInfo>
                    <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509IssuerSerial>
                            <ds:X509IssuerName>CN=[mydomain], OU=DF Department, O=[mydomain], L=HaNoi, S=HaNoi, C=VN</ds:X509IssuerName>
                            <ds:X509SerialNumber>275984599929908137247445060769002701383876346483</ds:X509SerialNumber>
                        </ds:X509IssuerSerial>
                    </ds:X509Data>
                </KeyInfo>
                <e:CipherData>
                    <e:CipherValue>iKjhREHzkDvxkHw3DLmhKVeo3Cmz38TKXdzhysaXusptfLzxSzPE/vF8DXB5UQ8MS7kg8RU+ESXLvAi65zYEB/XcoxhBL7heiRcLiu78YUIYlnWIiGDovM4J6iV1j2zxVIgaoJYMqQLPgmKJ6woGN4+2yW6FtNz2s8NRR1CsaZIBMb1f96kzfrSqK223p5/UhnrUbvBY9VgAQEE7T88zgkdqI4HsyHhi108b38ISxaRJEMfTlGiE1IlIdvIHzo4tP9eX/QTJgmgAWxNY9AAEGzazCdedNDlsQd6OgqArABXNU7k0aVp0WKgzqYvxY6S47ej/ueOPir9gjsnu0GdeUg==</e:CipherValue>
                </e:CipherData>
            </e:EncryptedKey>
        </KeyInfo>
        <xenc:CipherData>
            <xenc:CipherValue>C0a2WDsUQ6yVT/dDiNDPFhiZWVyo76z87SUpbaRwWNFj6HkpKKyKpHAfw6k531KfTXRcgTvVfxABSVN9MQqa/TzWk51MANzFcaheiRYrjjEFN7cUZBj/pwLKGse2J0BY4Rp6hSP15TE45y+AvSVyQkJOCMRMVJT4aydvAH6jT+frIb8vZb5pixTI4Ont7BVukdkVrIZ9W30s0OgSj+H9270NLn1jH+QnVedZreC+/tfJNVRrNObNj2z8eaTCShZ3mZt2eNYAUa8tyepVeQiO+73WhjqXOL6wLkx8L92SgGMZVujFVEUpwoqos1wne26sBuVUtdZMSKlkt8VYutMKXYY5qiiUxLwoYLI8/s+ZDMpUK9Amy6RVmIMjc8dHrpYztmL+WwG7diNXGAQh0LS6LNgchc964d2UcJHfkFFvMLycoAe+dOgDiZ+7fUvo1FwndRsKpKRrEr/cF52fAf4t4C3esShcCU2/q/5Bwe3ALSTL2GBkObr4eYTFuXruqow2bmR1CfMzI3Ehfk0LZtTfVrEuqWTkgkLmXzqCLaeTpv1tg/bpvTZ6ySceRjMps8ylX/XSjWZSddWFD43MypCvp09QDmpy6FGLpnIMpbzQos9RbuSCJPW9whPNExIjAzzfYrUH/3NgPiwqWO+8avpVVWd5ASx95Kdi2GRNyLt3dwtA77oPVlLGwW07f0IsSgkenlqCfytNLt1XT+9uwA5Xrv61aYb645AGaUl2jbaKydBR6qnJDCQmtjzVh+URCGWJRFf4U+PqGlsKsyZCd+S4eu/d+iMbtGBFqFKP6mLMKkm16uPKd//Z+Gub/3d4HN7CZsA2N6R1bTc62cq0Hj9EGe8LxLQObF7TejH9kHu+XiTWQJCOqYjEm7+zS16IKGFth0KklN+MTT4A/yxwoH/RNvS/rE2bnnA9mnHwXv9B8SUwKizwCErI6QnDlsukHYai3M0AqD26MyROqXz+0VRXLvNSeNObq1vchn01/8RJAApNCdww2yGj+AqQc71C/KuqmQvM3zTP2Dy1Xac+ra6wLE2SBd29NGynNmtmekmV7cdX7vqETkbBIiZD1QsQNK4a4AtH5nzhUAodxxFTIU16qb24fI6cepyuq8Ct7NhlQ9ylYJt/4HzzWSfTErkizeq0zdnSLFdxFryp2QzT+hLDtgjtEE5Uohakl59MygH3wlA5xucNJSxgLSvu5rBgz+04OBJT9s26ebPFqZO4gsbU7AkxWuGtUZOQsn3WP5WikHB9PK/iIbN35SGVbxbr6wXDAmmtEq1fcGLryEBHrKjsQDx7Vg4BBv0wEJ+9MqAVfYoNiA3JJUkc8CdPVCULPWfUuo1arD3wlisAw4NpfvfD0+ceel3czKW29OVC/fusi7iH8QM+5oK7B75CVAlxZhW0jb6bxDqm+zn1tFeAXP8hywnJV/ZArA9yFFgsllCionQWqe8OorMKyU1VSORDGvJN2zuLl9c27TwR7fbiG2ihKtvRE6PnS1O1G30ZBO0618KiL8ssfwT2i9U26d6w6Ej9trGDDKjVbB5CkWPfDfJE2dcZxXt9qg0SW0Y8AiFZdK+7jQsZEK1nLwELzsmId3DkRCiSuE3DUEJjOYWoe6roelRFLkApBD3GKW29Umf9RYly9S4QlSjp9AjkP5yP/c19C+6+PL1aNjRIoYnu0IhAEwCHyBLhjTcfjQ5dVmiNL2dXnT8AjGJ/XGFgP7Hxsc6t3UX2Q9o47dX/o5/sG7xhaASTIspvWVFZRhHrAWOtbO2D7mUx5FXRo8kG1j/1g8B2HMOWwObJ0VZNnon1BUOtFyuovziu2O4Jd2WNkJ5sgjsi9eSuzBQ9BqVnbPS8CSztGqpeSdSAvyKiGQmrtACWS4knVWSqBff4su2TlV2crKnr9mXiR7x8YQ5eeJCQZKChb3a/ffLa5WeLOupezdPoCkRFPSmRZvzZ9Ixwz3tHCOh8ZGVQd/Emmguf3M8BBYyurvspXi9cIvKO07spXJqVpYz1VK8gMlATH3lVla3JSCy7eFLXXBhIyqQfxoPBOffxur2d1+5OzuOdeFFoGVOSjnZiur1enxxOg3xVL4cPaAFmolZTFmFEtM4wyTWD2GyZz6VgqKTHwu1hkoWMMfjGN4e3EXFBO2pgFIaRkLFR01hPQ+nJoP2YeowmmeVpvrO8RM54Gm9iVc8b3QVnp+XkD6OIP4+qQJ61OQzgAWuVDsiIOz/iye1gHTfxOq3FL/q415torYge72o/m2nmundZ2yE6rKOfFpu7HGE8Vt7KzKkvsuZbHk4LFcZT8mBU+b73uFwqq2e2EfyGAvzbgp6iZJVIwsjq9NXP3TB2YGUsPdyFUH6aNdA+4d8VYphH3+83iWE+qLJnrLHIxJM0qhVc36lYP5q4q4c1wg+OW3gN0WG6x+GJLc4w4aZ/FPm+dWmq55ZapOkIDM4BwCQakN+Hm/+Zs0Fo31WQHHd2jgWs1iLHG3Q+zOLFmCsZxhGSSE5OWYPiXGmX6fhxYqEVaGdRb8ipfw9zdvctrCxM3rwC5VcRARFVBWtbtbJAQyL8OdA9eWtO/rAa0Xgoy1v6lGzT1QzmI4dJ/zL8npVQK7fGXpy8VgLper/67VpkIn0Bkpr9vEFovzNXg8oj89/ERhiQXP5Gq6AkCmV8ZneowvsNbh0TJHKhXz4u8ZNPy22gZbm7dihACeBj/gngpNEBrEkpgdoCRmlpcWkroCQwMWZnMVbPgQNATo1JNfFSYjpcCHHaVfnx+g8xTJFcvd8fZ9YisPqupwnH0GyQUM6qJWbyul7FF6mOi/WCEfO8LginOn6YnejTNmtRs9Oma3i5cJe7UXmAkwqpsikT/zsNHL7koVkBMwzxxpng6VGw2ZEu3tVq0+8WJHPriKFiAN/89h0hcj8buU02ffHauJxIo76vv+qWsSRDP4HMN3PGn5VsIOPXqPD32zxd6vH8kex4Bm79GAZyYCArNuobcC7cXqdcHbOsVZhgVipC3veqUsHGIhFkBTS1qjP1IWYkfliZPdBb4ulpby7s1YIJRlZFLSemDCeIzwxOhcAXDpxcO9XPSk6/+Ff8sE1qLKfLh1JNg2aQ3wrMAWKdfacURtAfXg8Bt6OGVSOtXh74sdPl6wH77IC7Wi/x8A5vrQqPWe1hohnailk4FWl7v0BxEb4Mms3EuH2GQmqb9kzSSaDcHP93lyNPKf0C7BXDUpXqblpJTPvl3kFcxbbATKgcO/bTr9IrWJrDsUwyDYBueaWM+6KSH2JHXP02nHcfv16mk7vgi+x1eUPOC6Kf9AVHvWyxFK1KZkpExnbL2kK+JkX0MS0sQGVGbotkxpNE6wTJQiINOesf2/ugTHftQRgok1MpOi9NnCa1Bssv6JNQdhWyZJkCANRJNDiYmImN8S7TBgPDgLy+oWbpXPrQcJuACefBaQVrLtbuaAg7qGcBymJOfk1mh95wZZ9N3w06y9+S5EAvBTzo92MgjbbNipdaC57w5u7YWGw4IsqVWapmSP7S4yGHr+ufI743QM8RyhTYYt08pwN9aoY8sRq9RlAGo6GNmSwwzvTtSH2BegkXjQSGOG8tQAgv7oFPxX4Qhz7ja+utm2nLMSfOpw8K+S85AZSygon2dx8Ns9BZn+Vum5s10xFrQQF72GEX5pVFZp9ol/ZYiMnr0UX63r/zf4o2tV0MOTWCnSx8FMXl1i5K/DhmN5Dkhn3mix/bqF74c7CiADCkC6FPzikncUTZUZKhgtJlnFPI86bHocNtWDbUF3RCur+5LM7gyaNPpRZfY6zJYzot12V87w8Wa/LFtcOYNl4kyaF88wYK6g4zqFPMwFb7C489aCyswHjFZL0k3JQsJGzabanFl7SG/vA5OR4+bjrZ58fOpOhbWpwteGMCGG6SGqBG/jxwsvd56nK9Xv85SazA0KzU76VAytfeKZusJ4r8K+caqmAjp8fd/OLUO4LmMXF2Y0i86KpE/uXG+vxpIP5UXreOy3c+MTaxshnDRbNOHUNmqsWDKxKaQgbloXinFfUl/XJS+4lAlkn0elkdpebnTSfliHvL2kWI2hpiL7Yw/u45HF0ehFXLhZycDG3gtzAHRgXnq+ykMfbZVwd5cvjgjTr/8W5AcHNeyPuV65wkK7T1m+pcXvcsOfAzYiNmvVJLv91+uBTyrScq7vCn+Hbo8fIkT2864jTElZENOjCZHp++1Fz9LaLVy0fxq79c+e/Qfza4A2m7zngRUZAOC+Tta0w0pLCLPWAOTKMNGiar8mZaIxhSegDMQfMKROAiZiJ+6oTdRUhJH+UtlY4f1jizkWUa3s/Xcs7nbZJmwycDjFAhg9BAMvLCZHi8v/AplduvK8mxIpV3DGBFlxVdpix0a4sC2+IXipKPi+zk5fsQNw3+3WZV9rqLCoU/JTs+5+ctyHPnsqz5vFWaFZhN+74SHI09rSt0AJ1Re9o1UpVyyJ7vKHdA0/IsvL+UHYY+72brrR81bjp6JXoqOdfIJWmcL5PPCpNx2ZfqmmYPcOEfCzwepyk/T18n3/jT6TgQVojEBIjupg8yEHJaDoKKHXWjD3QuCO1QGW31M2n/616TmBcbYYfwdVrEyAJYt2wxDtsu+MIXhONbRoWsnGlOwbd1I7IKwwnX7y2py0AD3lpRXKDylzA=</xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedData>
</EncryptedAssertion>
</samlp:Response>

When I check the source code, I found that it checks for the signature in response

if (responseSigned) {
    this.responseElementsDecrypter.accept(responseToken);
}
else if (!response.getEncryptedAssertions().isEmpty()) {
    result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_SIGNATURE,
        "Did not decrypt response [" + response.getID() + "] since it is not signed"));
}

My response does not have signature in it so that I received the error.

But when I check this response in https://www.samltool.com/validate_response.php, It shows that my response is valid.

THE SAML RESPONSE IS VALID.

Is that spring-security-saml2-service-provider does not support for kind of the response that described in this page https://www.samltool.com/generic_sso_res.php (SAML Response with Encrypted Assertion)?

Solution

  • You really need to sign the response from the IDP, not just the assertion in the encrypted form. Most idps give you the option to sign both the response and the assertion pick both.

    There have been a number of security issues over the years with XML attacks and some recent ones where the attacker is able to replace the encrypted assertion because the response itself was not signed.

    Although the SAML specification allows it not to be signed, the only way to protect against those attacks is to enforce signature on the response.