shibboleth-dev - Re: [Shib-Dev] Evaulation of Security policies and rules
Subject: Shibboleth Developers
List archive
- From: Dharam Veer <>
- To:
- Subject: Re: [Shib-Dev] Evaulation of Security policies and rules
- Date: Sun, 12 Jul 2009 00:53:26 -0500
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=HbWGsGAoOh42D53q6Tz87za3mv08KMbMnVcWq3Ss/LcBO48jPmMDYuanlTstswNANp pgYPXAKQBvLLIQR8SLMHX3kA9oWr6T6vSut+DcuuoYUbnD8k3PbrW8Fv/JFFpiSZsqV1 /NIuH08Qo/yL4uFBTS+jtVjN6m2qJsTqvdmEo=
Thanks.
So is it correct to say that security rules are written such that they do take into consideration metadata and it's actually combination of both that they would make a security rule fail or pass.
For this specific case since for Redirect Binding in metadata there is no way of saying that SimpleSign is required the implementation is the way it is.
Regards & thanks again.
On Sat, Jul 11, 2009 at 11:57 PM, Chad La Joie <> wrote:
That rule, in addition to the ProtocolWithXMLSignature, SAML2HTTPPostSimpleSign, and ClientCertAuth are rules meant to establish the authenticity of the message and its sender and they operate in a fall-through manner. If one doesn't work thats fine it just goes on and tries the next. If you require that the message be signed and that that signature validate in order for the message be accepted remove the other rules that mentioned above and add the following rule at the end of the policy:
<security:Rule xsi:type="security:MandatoryMessageAuthentication" />
Note that a requirement that a SSO AuthnRequest be authenticated is not usual. If you're going to do this you'll need to express in your metadata that you want requests to be signed or else most other SPs that you work with will start failing (since by default they don't sign).--
Dharam Veer wrote:
Hi,
For SSOConfiguration, the security policy that takes into affect is:
<security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy"
xsi:type="security:SecurityPolicyType">
<security:Rule xsi:type="samlsec:Replay"/>
<security:Rule xsi:type="samlsec:IssueInstant"/>
<security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
<security:Rule xsi:type="security:ClientCertAuth"
trustEngineRef="shibboleth.CredentialTrustEngine" />
<security:Rule xsi:type="samlsec:MandatoryIssuer"/>
</security:SecurityPolicy>
The way I want to setup my IDP is that for SSO it uses HTTP Redirect binding
and it _MUST_ be Simple Signed. From the above fragment it seems that this
policy indeed apply that rule i.e.
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
trustEngineRef="shibboleth.SignatureTrustEngine" />
My expectation was that if the message is not signed (Simple Signed) then
the IDP will throw a security exception but it is not the case:
Here is part of log:
22:55:44.942 - INFO
[org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:99]
- SAML protocol message was not signed, skipping XML signature processing
22:55:44.942 - DEBUG
[org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:63]
- Evaluating simple signature rule of type:
org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
22:55:44.942 - DEBUG
[org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:86]
- HTTP request was not signed via simple signature mechanism, skipping
22:55:44.942 - DEBUG
[org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:63]
- Evaluating simple signature rule of type:
org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
22:55:44.943 - DEBUG
[org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:80]
- Rule can not handle this request, skipping processing
From this log (and after reading opensaml code) it seems that if the
Signature is missing then the rule does not throw Security Exception and it
prints
"HTTP request was not signed via simple signature mechanism, skipping"
I am pretty sure that my expectation is wrong as it cannot be just an
oversight.
Please help me in understanding what is that I am missing here and reason
behind such a behavior.
Regards & thanks
Dharam
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
, http://www.switch.ch
- Evaulation of Security policies and rules, Dharam Veer, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Chad La Joie, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Dharam Veer, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Chad La Joie, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Dharam Veer, 07/12/2009
- Re: [Shib-Dev] Evaulation of Security policies and rules, Chad La Joie, 07/12/2009
Archive powered by MHonArc 2.6.16.