Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-57

SAML AuthnRequest should be signed

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • SSO

      Although the official SAML standards do not require it, many IdPs require a signed AuthNRequest for security reasons.

      However, Confluence DC (with the Atlassian SAML SSO plugin) is sending an auth request like this one and doesn't have an option to sign it:

      DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest -->2019-11-06 10:34:38,997 DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest --><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_cc1deb92-97e7-451c-abd2-0bf93ddbd382" Version="2.0" IssueInstant="2019-11-06T18:34:38Z" Destination="https://my.idp.com/idp/SSO.saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://my.confluence.com/plugins/servlet/samlconsumer"> <saml:Issuer>https://my.confluence.com</saml:Issuer></samlp:AuthnRequest>

      Thereby, authentication requests to IdPs that require the signature will fail with this error:

      ERROR [http-nio-8017-exec-11] [onelogin.saml2.authn.SamlResponse] isValid The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Requester -> Signature required

              0faddb3cd3b1 Mateusz Miodek
              lmachado@atlassian.com Lucas Machado (Inactive)
              Votes:
              46 Vote for this issue
              Watchers:
              40 Start watching this issue

                Created:
                Updated: