shibboleth-dev - Evaulation of Security policies and rules
Subject: Shibboleth Developers
List archive
- From: Dharam Veer <>
- To:
- Subject: Evaulation of Security policies and rules
- Date: Sat, 11 Jul 2009 23:08:19 -0500
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=wWLEuy2jrotjnLEoiIRTBgm5GIbgQYRKERVr93MnKaigR2VkPP04/aJzyqrDcipBNW sWCFozOLioDF/sL3BmjairXyW+FOc1VQvUAGs0XXBCpob0upfFc5QDBKYqreV9LeNx7Y qd9XPOdXIg7D1p+DPcyhMBWIXhdOmFxx/ytug=
Hi,
For SSOConfiguration, the security policy that takes into affect is:
<security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
</security:SecurityPolicy>
The way I want to setup my IDP is that for SSO it uses HTTP Redirect binding and it _MUST_ be Simple Signed. From the above fragment it seems that this policy indeed apply that rule i.e.
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine" />
My expectation was that if the message is not signed (Simple Signed) then the IDP will throw a security exception but it is not the case:
Here is part of log:
22:55:44.942 - INFO [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:99] - SAML protocol message was not signed, skipping XML signature processing
22:55:44.942 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:63] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
22:55:44.942 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:86] - HTTP request was not signed via simple signature mechanism, skipping
22:55:44.942 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:63] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
22:55:44.943 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:80] - Rule can not handle this request, skipping processing
From this log (and after reading opensaml code) it seems that if the Signature is missing then the rule does not throw Security Exception and it prints
"HTTP request was not signed via simple signature mechanism, skipping"
I am pretty sure that my expectation is wrong as it cannot be just an oversight.
Please help me in understanding what is that I am missing here and reason behind such a behavior.
Regards & thanks
Dharam
- Evaulation of Security policies and rules, Dharam Veer, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Chad La Joie, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Dharam Veer, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Chad La Joie, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Dharam Veer, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Chad La Joie, 07/12/2009
Archive powered by MHonArc 2.6.16.