Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
1
-
2
-
Description
Problem Definition:
At the moment, the plugin would only accept Assertions to be signed for the Authentication regardless of the Response whether it is also signed. In case that the Assertion is not signed, an error like error will appear:
2018-04-27 16:13:04,860 http-nio-8080-exec-43 ERROR anonymous xxxxxxxxxx xxxxxxx xxxxxxxxx /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89) at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48) at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)
But, in certain cases, there is a possibility that it will be the Response that is signed rather than the Assertions and such option might not able to be changed by the client as well.
Suggested Solution:
To have the Add-on to accept either the Response or Assertion to be signed in which it could act as a failover system as well.
Attachments
Issue Links
- relates to
-
JRASERVER-71288 SAML authentication assertions and responses should be signed
- Gathering Interest