Shibboleth Developers

[Chad La Joie <>]

That rule, in addition to the ProtocolWithXMLSignature, 
SAML2HTTPPostSimpleSign, and ClientCertAuth are rules meant to establish 
the authenticity of the message and its sender and they operate in a 
fall-through manner.  If one doesn't work thats fine it just goes on and 
tries the next.  If you require that the message be signed and that that 
signature validate in order for the message be accepted remove the other 
rules that mentioned above and add the following rule at the end of the 
policy:

<security:Rule xsi:type="security:MandatoryMessageAuthentication" />

Note that a requirement that a SSO AuthnRequest be authenticated is not 
usual.  If you're going to do this you'll need to express in your 
metadata that you want requests to be signed or else most other SPs that 
you work with will start failing (since by default they don't sign).

Dharam Veer wrote:
> Hi,
>    For SSOConfiguration, the security policy that takes into affect is:
>
>   <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy"
> xsi:type="security:SecurityPolicyType">
>         <security:Rule xsi:type="samlsec:Replay"/>
>         <security:Rule xsi:type="samlsec:IssueInstant"/>
>         <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
>         <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
> trustEngineRef="shibboleth.SignatureTrustEngine" />
>         <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
> trustEngineRef="shibboleth.SignatureTrustEngine" />
>         <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
> trustEngineRef="shibboleth.SignatureTrustEngine" />
>         <security:Rule xsi:type="security:ClientCertAuth"
> trustEngineRef="shibboleth.CredentialTrustEngine" />
>         <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
>     </security:SecurityPolicy>
>
> The way I want to setup my IDP is that for SSO it uses HTTP Redirect binding
> and it _MUST_ be Simple Signed. From the above fragment it seems that this
> policy indeed apply that rule i.e.
>
> <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
> trustEngineRef="shibboleth.SignatureTrustEngine" />
>
> My expectation was that if the message is not signed (Simple Signed) then
> the IDP will throw a security exception but it is not the case:
>
> Here is part of log:
>
> 22:55:44.942 - INFO
> [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:99]
> - SAML protocol message was not signed, skipping XML signature processing
> 22:55:44.942 - DEBUG
> [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:63]
> - Evaluating simple signature rule of type:
> org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
> 22:55:44.942 - DEBUG
> [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:86]
> - HTTP request was not signed via simple signature mechanism, skipping
> 22:55:44.942 - DEBUG
> [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:63]
> - Evaluating simple signature rule of type:
> org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
> 22:55:44.943 - DEBUG
> [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:80]
> - Rule can not handle this request, skipping processing
>
> From this log (and after reading opensaml code) it seems that if the
> Signature is missing then the rule does not throw Security Exception and it
> prints
> "HTTP request was not signed via simple signature mechanism, skipping"
>
> I am pretty sure that my expectation is wrong as it cannot be just an
> oversight.
>
> Please help me in understanding what is that I am missing here and reason
> behind such a behavior.
>
> Regards & thanks
> Dharam

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch