Spring Security SAML: Accept only signed SAML response messages from IDP

Question

We are using Spring Security SAML (v1.0.3) in our Java application for SAML SSO with IDP.

Requirement : Accept only signed SAML response messages from IDP, if the SAML response is not signed, then throw an exception.

Actual Result : Even if the signing information is completely missing from the SAML Login response message, it is accepted and Spring Security SAML library doesn't throw an exception.

Observations :

1. If wrong signing information is present in the SAML Login response message, then it throws an exception which is correct.
2. For Logout messages, we have properties requireLogoutRequestSigned and requireLogoutResponseSigned in the extended metadata generator that controls whether logout request and response shall be signed or not.
3. For Login Response message, we have a property wantAssertionSigned that indicates whether SP requires signed assertions or not.

Questions :

1. Is there any property or an approach in Spring Security SAML framework that enables SP to only accept signed Login response (at the message level) from IDP?
2. Per my understanding, the signing of the SAML Response Message and Assertion are two different things. Is it correct? The property wantAssertionSigned only enables signed assertions and not the message.

Answer 1

1. I could not find such a configuration possibility, had to add custom implementation. I will elaborate bellow.
2. It is correct, those are two different things.

First of all, make sure proper binding is used that allows for signature response. For example, redirect binding should not have a signature in the response itself, if i understood correctly what is written here, lines 578-582

"Any signature on the SAML protocol message, including the XML element itself, MUST be removed. Note that if the content of the message includes another signature, such as a signed SAML assertion, this embedded signature is not removed. However, the length of such a message after encoding essentially precludes using this mechanism. Thus SAML protocol messages that contain signed content SHOULD NOT be encoded using this mechanism."

As for the HTTP Post binding, which was used in a project i was working on recently, in the same (as above) document, lines 839-842 it states: "The presence of the user agent intermediary means that the requester and responder cannot rely on the transport layer for end-end authentication, integrity or confidentiality protection and must authenticate the messages received instead. SAML provides for a signature on protocol messages for authentication and integrity for such cases. Form-encoded messages MAY be signed before the base64 encoding is applied."

Based on this, we made the decision to enforce all response messages, processed by the HTTP Post binding, must be signed. We left the other bindings intact.

To achieve this, I've subclassed the existing spring's HTTPPostBinding. I've then instructed spring provided SAMLProcessorImpl to use this binding instead of its default one. This custom binding implementation adds an additional opensaml's SecurityPolicyRule. As for that rule, pretty simple implementation, enforces all SAML messages to be signed. Signature verification is left to the already existing opensaml's SAMLProtocolMessageXMLSignatureSecurityPolicyRule. This one is by default included in the default HTTPPostBinding, and, also by default, allows for signature to be missing. This could be a good starting point to look at if you decide to go with your own security policy rule implementation.

As for assertion signatures, I think there is an issue with default implementation as well but that might be out of scope of your questions.

Hope this helps, cheers.