[JRASERVER-67292] SAML Authentication Add-on to accept either Assertions or Response to be signed by IDP

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: Data Center - Other, Login
Labels:
None

UIS:
1
Support reference count:
2
Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Problem Definition:

At the moment, the plugin would only accept Assertions to be signed for the Authentication regardless of the Response whether it is also signed. In case that the Assertion is not signed, an error like error will appear:

2018-04-27 16:13:04,860 http-nio-8080-exec-43 ERROR anonymous xxxxxxxxxx xxxxxxx xxxxxxxxx /plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Assertion of the Response is not signed and the SP requires it
        at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89)
        at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
        at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80)

But, in certain cases, there is a possibility that it will be the Response that is signed rather than the Assertions and such option might not able to be changed by the client as well.

Suggested Solution:

To have the Add-on to accept either the Response or Assertion to be signed in which it could act as a failover system as well.

is related to

SAMLDC-40 Assertion encryption

Under Consideration

relates to

JRASERVER-71288 SAML authentication assertions and responses should be signed

Gathering Interest

Mark Benson added a comment - 09/Apr/2021 6:16 PM

Our org uses Google SAML for auth and I see this error in the logs if "Signed Response" is enabled on the Google SAML App side.

I have confirmed with Google Support that the SAML Assertion is always signed in the communications (this cannot be changed), the option only toggles if the SAML Response is also signed or not.
From my testing most of the third party Jira SAML addons/plugins work fine with the signed response option enabled - so the native Atlassian authentication component is clearly missing something.

Mark Benson added a comment - 09/Apr/2021 6:16 PM Our org uses Google SAML for auth and I see this error in the logs if "Signed Response" is enabled on the Google SAML App side. I have confirmed with Google Support that the SAML Assertion is always signed in the communications (this cannot be changed), the option only toggles if the SAML Response is also signed or not. From my testing most of the third party Jira SAML addons/plugins work fine with the signed response option enabled - so the native Atlassian authentication component is clearly missing something.

Assignee:: Unassigned

Reporter:: Julian (Inactive)

Votes:: 7 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 11/May/2018 1:58 PM

Updated:: 25/Nov/2024 2:13 AM

Jira Data Center

Details

Description

Problem Definition:

Suggested Solution:

Attachments

Issue Links

Forms

Activity

Collapse comment: Mark Benson added a comment - 09/Apr/2021 6:16 PM

Expand comment: Mark Benson added a comment - 09/Apr/2021 6:16 PM

People

Dates