-
-
Notifications
You must be signed in to change notification settings - Fork 566
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem validating document with multiple Signature elements #275
Comments
+1 for addressing this -- My team also ran into this issue with the Okta IdP. |
Maybe this was introduced at this change: We always tries to analyze the first Signature. If the signed element (SAMLResponse) has signed childs (Assertion), checking the parent we are sure that the child is ok, so in the XML that you posted, we try to check the signature of the SAMLResponse element.
|
@pitbulk Added a PR for this. It has the least amount of change to validate documents, and the modification is according to the fact that a Signature element can only have one Reference node inside. What's your timeframe for the xml_security refactoring. I would highly like to contribute to that. |
btw, if it's not a big hassle, I would greatly appreciate if you can release a new version of the gem (say 1.1.1). I've been waiting for a long time for this. Thank you |
I try to add SSO (single sign-on) and use SAML2 protocol. It works well when we run the application, but when we run the test cases then it gives the digest mismatch and signature validation error. We have checked the Configuration and configuration is same in both the cases. Request to share the parameters which are responsible for changing Signature Validation and digest mismatch error |
The lastest release of the gem (1.1.0), fails to validate documents of this form:
I tracked the problem in the xml_security.rb https://github.com/onelogin/ruby-saml/blob/master/lib/xml_security.rb#L234
Within each signature element, we try to get the Reference node and match the digest_value with the computed hash of the referenced node.
When we get the
encoded_digest_value
from the Signature element, we use this: https://github.com/onelogin/ruby-saml/blob/master/lib/xml_security.rb#L307, note the//ds:DigestValue
. This scopes the call to the whole document and always returns the first DigestValue in the document, regardless of the context element we passed to the call so it always compares the first digest value in the document with the computed hashes of each of the Referenced nodes hence the validation fails. See this answer on SO: http://stackoverflow.com/a/32640500Thanks
The text was updated successfully, but these errors were encountered: