Skip to content

Bugfix. Validate signed response from IdP with Idp public key #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bugfix. Validate signed response from IdP with Idp public key #27

wants to merge 1 commit into from

Conversation

philter87
Copy link

@philter87 philter87 commented Mar 4, 2025
edited
Loading

@jkmu Thanks for creating this awesome library for doing SAML2 authentication!!!

I have found something, which might be a bug. I was also getting the error: "Saml2Exception: Assertion signature could not be verified" which is mentioned in #24

The last part of the method "SamlValidator.GetValidatedAssertion" is checking the signature of the "Assertion" received from the IdP. The signature is checked using the ServiceProvider certificate, which I think is incorrect. The signature should be checked based on IdP's public key, because we need to ensure that the Assertion-object was created by the IdP.

To not accidently break stuff, I have changed the implementation to check the signature against all trusted keys. I have added a method to the IConfigurationProvider to get all the trusted keys

Bugfix. Response from IdP is signed and it should be validated agains…
77c9458 
…t the public key of the IdP (and not the service provider)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@philter87