Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
0
-
Description
Although the official SAML standards do not require it, many IdPs require a signed AuthNRequest for security reasons.
However, Confluence DC (with the Atlassian SAML SSO plugin) is sending an auth request like this one and doesn't have an option to sign it:
DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest -->2019-11-06 10:34:38,997 DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest --><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_cc1deb92-97e7-451c-abd2-0bf93ddbd382" Version="2.0" IssueInstant="2019-11-06T18:34:38Z" Destination="https://my.idp.com/idp/SSO.saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://my.confluence.com/plugins/servlet/samlconsumer"> <saml:Issuer>https://my.confluence.com</saml:Issuer></samlp:AuthnRequest>
Thereby, authentication requests to IdPs that require the signature will fail with this error:
ERROR [http-nio-8017-exec-11] [onelogin.saml2.authn.SamlResponse] isValid The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Requester -> Signature required
Attachments
Issue Links
- is related to
-
- Gathering Interest