As discovered in
MODLOGSAML-69, if decryption of the saml assertions fails, resubmitting the post to the callback succeeds, providing the user with an access (okapi) token and redirecting them to the landing page.
Steps to Reproduce:
- Configure SSO and verify it's working as expected
- Change the certificate on the IdP
- Try to login via SSO again, you should see an error: "No valid subject assertion found in response"
- Refresh the page - and you'll be redirected to the landing page!
The user remains logged out and an okapi token is not furnished. The user should not be redirected to the landing page.
The user is issued an okapi token and redirected to the landing page
SPs should store the IdP metadata that contains the IdP public key certificate, and should check that all answers from the IdP are signed by that public key.
This Java code should be changed to take the IdP metadata file (and not only the IdP URL).
Storing the IdP metadata allows for certificate pinning and results in higher security than provided by https TLS certficiates where even domain validated certificates (like let's encrypt) are possible that are discouraged for production use: https://blog.pki.dfn.de/2019/03/lets-dfn-pki/
Allow to upload the IdP metadata to mod-login-saml.
Check that IdP responses are signed by the IdP public key.
Current UI, note that one can only specify the IdP URL, the possibility to upload the IdP metadata is missing:
Example for a site that allows to upload the IdP metadata:
Example IdP metadata file, it is an xml file:
Complete example: https://samltest.id/saml/idp
The IdP metadata XML file should be stored in mod-configuration.