The SAML response contains duplicate sections of "ds:Reference"

[tabsmann]

Describe the bug

The SAML response contains duplicate sections of "ds:Reference"
According to a java SAML implementation this referency should be unique and therefore the SAML response is rejected.

To Reproduce

1. configure SAML provider.
2. Select "Sign assertions" and "Sign responses"
3. go to site that will use it.
4. capture saml response with chrome.
5. decode the base64
6. see the duplicate reference

Expected behavior
ds:Reference should be unique according to my information.

Version and Deployment (please complete the following information):

• authentik version: 2024.8.3
• Deployment: docker-compose

Additional context
Here is one of the faulty saml responses. I removed all information specific to our deployment.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
    Version="2.0" IssueInstant="2024-10-03T07:06:39Z"
    Destination="https://acs.url" ID="_bfde1dda2d9e41cfac017ecb9d160987"
    InResponseTo="__a6ac044d-f788-440a-bb4d-a9976d892a0e">
    <saml:Issuer>https://saml-test.com/</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion Version="2.0" ID="_c84d363337664cec85c06916625cbae9"
        IssueInstant="2024-10-03T07:06:39Z">
        <saml:Issuer>https://saml-test.com/</saml:Issuer>
        <ds:Signature>
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_c84d363337664cec85c06916625cbae9">
                    <ds:Transforms>
                        <ds:Transform
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>CpFJ+gnTmFxT9EYBq+uTfYo2Rt5YJbS7ut40jh/jh/c=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#_c84d363337664cec85c06916625cbae9">
                    <ds:Transforms>
                        <ds:Transform
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>CpFJ+gnTmFxT9EYBq+uTfYo2Rt5YJbS7ut40jh/jh/c=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>---removed---</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>---removed---
                    </ds:X509Certificate>
                </ds:X509Data>
                <ds:X509Data>
                    <ds:X509Certificate>---removed---
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                test-user</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="__a6ac044d-f788-440a-bb4d-a9976d892a0e"
                    NotOnOrAfter="2024-10-03T07:11:39Z"
                    Recipient="https://acs.url" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2024-10-03T07:01:39Z" NotOnOrAfter="2024-10-03T07:11:39Z">
            <saml:AudienceRestriction>
                <saml:Audience>
                    https://dummy.local</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2024-10-03T07:01:39Z"
            SessionIndex="_c84d363337664cec85c06916625cbae9"
            SessionNotOnOrAfter="2024-12-02T07:06:39Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="http://schemas.goauthentik.io/2021/02/saml/username">
                <saml:AttributeValue>test-user</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/claims/Group">
                <saml:AttributeValue>authentik Admins</saml:AttributeValue>
                <saml:AttributeValue>SAML-Test</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Thanks and best regards,
Tobias

[Zapfmeister]

I do have the exact same issue

[Zapfmeister]

The issue changed for me. It still has two entries, but not identical ones:

            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#_9612d596defe438b9efc13ed878806fa">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>n0wtzkQVyZdxBAqcPNVbtnofmJY5YaeMiYoNwSbQyFg=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#_f6507d36912e4230a86b800e0fe7be10">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>IUHMNeViiRy+jrS74ibC2kGk7v3LO1Uc5Jb8MoSZoNY=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>

Maybe its adding one entry for signed assertions and one for sign responses?
Splunk is still complaining: Expected only one ds:SignedInfo/ds:Reference/ds:DigestMethod but found=2

[dcortez]

I'm running into almost the same issue (or one that is very closely related). Using https://samltool.io, I can get valid assertion signing to work, but not responses and not both assertions or responses. I did find reference to something similar in issue #7873, but it appears they were mostly talking about a SAML source, not a provider.

From what I can tell, both the signed assertions and response options are being added to the assertions node rather than in different places (directly under the response node rather than the assertion node). I'm still trying to validate that thought process by manually changing the response around to see what the results show on the samltool.io debugger, but wanted to share my initial findings if it helps get a fix into the works.

-DC