Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turn warning about no signature verification into an error #866

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

thijskh
Copy link

@thijskh thijskh commented Aug 8, 2022

We had a production SP configured with not checking any response or assertion signature at all. The warning was logged, but not noticed. This is quite undesirable, in other words, highly insecure.

It happened because the SP interfaces with an IdP that does not sign responses, only assertions. So want_response_signed was turned off in config. It was not transparant to the operators that setting just this setting implies that no signatures are checked at all. The warning was logged, but sure, people read logs only when things do not work and the SP worked. The warning was discovered later when researching another problem.

I propose to change the following:

  1. Turn the warning about no signature verification being done into an error. There's really no situation in which an SP should operate without checking any signature on a receveived response or assertion. Making it an error makes this security hole obvious, instead of having to spot the warning somewhere in the logs.
  2. Assist users by defaulting the want_assertions_or_response_signed setting to True. This seems a more graceful fallback for a system that has turned off response signing than just not checking any signature at all (or, if 1 is implemented, throwing an error). Because the want_response_signed and want_assertions_signed options override this one if set to True, it should not change behaviour for any non-insecure exising SP config.

thijskh added 2 commits August 8, 2022 16:07
Not checking any signature is completely insecure and we'd want to
go through great lenghts to avoid this. Just logging a warning does
not suffice, since will read logs when it doesn't work, but it does.
Given that the other signature verification options want_assertions_signed
and want_response_signed will overrule this setting, defaulting it to true
does not impact any configuration that has one of those settings. It does
however catch the situation where someone has disabled response signature
checking. This prevents that user from landing on an error about an
insecure config, and rather employs this reasonable fallback scenario.
Copy link
Member

@c00kiemon5ter c00kiemon5ter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your suggestions.

There's really no situation in which an SP should operate without checking any signature on a received response or assertion

pysaml2 has been a flexible implementation where people can set things however they like. Maybe, when starting out, allowing for this behaviour is ok, but the checks should be turned on at some point (very soon). Restricting this is for the best. In general I agree and do hope that nobody is using a configuration without any checks.

Note to self: this will be a breaking change.

@@ -174,7 +173,7 @@ def __init__(self, config=None, identity_cache=None, state_cache=None,
"authn_requests_signed": False,
"want_assertions_signed": False,
"want_response_signed": True,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should change to False to allow messages with signed assertions only to be processed. This should also change on the documentation.

Suggested change
"want_response_signed": True,
"want_response_signed": False,

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is saml2int compliant to change this default. However of course there are some arguments to make that reponse signing is more secure/more defense in depth than assertion signing so there is some case also to make to by default check response signatures and let people change that if they need to.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If your IdP signs responses it's probably more secure/defense in depth to not allow this to change. So defaulting to response signing as a requirement might make sense, so only installs that knowingly require only the assertion to be signed will change this?

src/saml2/client_base.py Outdated Show resolved Hide resolved
@thijskh
Copy link
Author

thijskh commented Aug 12, 2022

Note to self: this will be a breaking change.

It will only be breaking things that are already broken... so is it?

@thijskh
Copy link
Author

thijskh commented Jun 20, 2023

pysaml2 has been a flexible implementation where people can set things however they like. Maybe, when starting out, allowing for this behaviour is ok, but the checks should be turned on at some point (very soon). Restricting this is for the best. In general I agree and do hope that nobody is using a configuration without any checks.

Well, the case we encountered was using djangosaml2. It happened in this way:

  1. App uses djangosaml2
  2. IdP signs only assertions, not responses
  3. Deployer adds only "want_response_signed: false" to config
  4. This makes the SP end up not checking any signatures at all.

So not someone just using the bare library themselves. In my opinion the insecure configuration should either not be allowed at all or at least not possible to enable implicitly, only explictly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants