Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Signed AuthnRequests using the HTTP-POST Binding. #206

Closed
richardTowers opened this issue May 2, 2017 · 7 comments
Closed

Add support for Signed AuthnRequests using the HTTP-POST Binding. #206

richardTowers opened this issue May 2, 2017 · 7 comments

Comments

@richardTowers
Copy link
Contributor

Hello, I'm a developer for the UK's Government Digital Service. I work on the GOV.UK Verify product, which is a reasonably complex SAML federation.

GOV.UK Verify uses the SAML HTTP-POST binding, and mandates that AuthnRequests are signed.

At the moment it looks like passport-saml does not sign HTTP-POST AuthnRequests. The signing process is a little different from the HTTP-Redirect binding (the signature lives in the XML, rather than the URL), but it's supported by XML Crypto, so it shouldn't be too difficult to add.

If this feature is something you'd accept a Pull Request for we'd be very keen to contribute. I've made a start in my fork.

Most of all: thanks to all the contributors of passport-saml so far - having good open source implementations of infrastructure like this is fantastic 💯 .
richardTowers added a commit to richardTowers/passport-saml that referenced this issue May 3, 2017
@richardTowers
Issue node-saml#206: Support signing AuthnRequests using the HTTP-POS…
571214e 
…T Binding

This commit adds support for signing AuthnRequests in the SAML HTTP-POST
binding. In the POST Binding the signature sits inside the SAML message
(as opposed to the Redirect binding, where the signture lives in the
URL's query string).

This will help suppport identity providers that require signed
AuthnRequests over the HTTP-POST binding.

Two new configuration options have been added:

* `digestAlgorithm`: allows you to specify the digest algorithm for the
  signature.
* `xmlSignatureTransforms`: allows you to configure which XML transforms
  to use.
@richardTowers
Copy link
Contributor Author

Raised PR #207 to address signing of HTTP-POST AuthnRequests. Let me know if it needs any more work.

@ajshetye
Copy link

HI,
I work for a tech company in US. We are trying to use this feature for request signing. Any news for why it did not make the merge.

Thanks,
Anuj

@markstos
Copy link
Contributor

markstos commented Oct 9, 2017

@ajshetye Since you also interested in this feature getting merged, please peer-review #207 and provide feedback there about recommended changes or a recommendation to merge it.

@joedjc
Copy link

joedjc commented Jan 17, 2019

@richardTowers @markstos We've come across this issue recently - has there been a consensus on the best approach?

richardTowers added a commit to richardTowers/passport-saml that referenced this issue Jan 16, 2020
@richardTowers
Issue node-saml#206: Support signing AuthnRequests using the HTTP-POS…
b0eb857 
…T Binding

This commit adds support for signing AuthnRequests in the SAML HTTP-POST
binding. In the POST Binding the signature sits inside the SAML message
(as opposed to the Redirect binding, where the signture lives in the
URL's query string).

This will help suppport identity providers that require signed
AuthnRequests over the HTTP-POST binding.

Two new configuration options have been added:

* `digestAlgorithm`: allows you to specify the digest algorithm for the
  signature.
* `xmlSignatureTransforms`: allows you to configure which XML transforms
  to use.
@crutley
Copy link

crutley commented Jan 17, 2020

Updating here to say that PR #207 was just rebased against master by @richardTowers, had a change to improve spec compliance, and was successfully tested against my company's PingFederate server.

markstos pushed a commit that referenced this issue Jan 20, 2020
@richardTowers @markstos
Issue #206: Support signing AuthnRequests using the HTTP-POST Binding (
370ee9f 
…#207)

* Issue #206: Support signing AuthnRequests using the HTTP-POST Binding

This commit adds support for signing AuthnRequests in the SAML HTTP-POST
binding. In the POST Binding the signature sits inside the SAML message
(as opposed to the Redirect binding, where the signture lives in the
URL's query string).

This will help suppport identity providers that require signed
AuthnRequests over the HTTP-POST binding.

Two new configuration options have been added:

* `digestAlgorithm`: allows you to specify the digest algorithm for the
  signature.
* `xmlSignatureTransforms`: allows you to configure which XML transforms
  to use.

* Provide a clearer description of digestAlgorithm

It's not exactly easy to explain XMLDSIG in a single bullet point in a
readme, so I think this is necessarily going to be a bit confusing.

* Place the Signature immediately after the Issuer
@markstos markstos mentioned this issue Jan 20, 2020
Closed
@markstos
Copy link
Contributor

I believe this is addressed by #207, so closing.

@markstos
Copy link
Contributor

markstos commented Feb 6, 2020

A new release of passport-saml today includes this change.

@snyk-bot snyk-bot mentioned this issue Oct 31, 2020
Open
@MartialSeron MartialSeron mentioned this issue Nov 28, 2023
Open
@devsmart devsmart mentioned this issue Nov 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@markstos @richardTowers @ajshetye @joedjc @crutley