-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is :idp_cert_fingerprint_validator required? #109
Comments
|
Ok, is an optional parameter, but why exist? since you can already provide dynamically a value for idp_cert_fingerprint, or do you want to support multiple idp_cert_fingerprint at once? |
ruby-saml requires to be set a certificate or a fingerprint (only 1 value) and it will validate it againstthe cert on the SAMLResponse, so if a wrong value is set, the SAMLResponse will be consider invalid, so the extra check of the idp_cert_fingerprint_validator I think is useless since already it was invalidated. |
@pitbulk The code that deals with this "validator" is at omniauth-saml/lib/omniauth/strategies/saml.rb Lines 52 to 59 in 59eeeb1
response_fingerprint method).
Since that code is extracting the fingerprint from the SAML response directly, it is happening before I agree with you that this feature is rather suspect and equivalent functionality could be provided by the OmniAuth setup phase functionality in any use case I could think of. That being said, I could be missing something. |
I checked omniauth-saml's settings/code and I don't understand the use of
At the ruby toolkit, in order to check embedded Signatures (of the HTTP-POST binding), when you add a :idp_cert_fingerprint instead the :idp_cert, doesn't matter what you use, at the end the idp_cert is turned in a idp_cert_fingerprint to validate the document.
The certificate of the SAMLResponse is fingerprinted and compared with the value of the idp_cert_fingerprint.
I think this is already done at omniauth here
P.S I always recommend to set the idp_cert and not the idp_cert_fingerprint because HTTP-Redirect binding signature validations requires it (since the IdP's public certificate is not at the SAML Message).
As you plan to add SLO soon, recommend the use of certificates vs fingerprints.
Related topic: certFingerprint versus certificate/certData - simpleSAMLphp
The text was updated successfully, but these errors were encountered: