[SAMLDC-57] SAML AuthnRequest should be signed

Type: Suggestion
Resolution: Unresolved
Priority: Medium
Fix Version/s: None
Affects Version/s: None
Component/s: SSO
Labels:
- SAML
- dev-team

Although the official SAML standards do not require it, many IdPs require a signed AuthNRequest for security reasons.

However, Confluence DC (with the Atlassian SAML SSO plugin) is sending an auth request like this one and doesn't have an option to sign it:

DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest -->2019-11-06 10:34:38,997 DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest --><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_cc1deb92-97e7-451c-abd2-0bf93ddbd382" Version="2.0" IssueInstant="2019-11-06T18:34:38Z" Destination="https://my.idp.com/idp/SSO.saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://my.confluence.com/plugins/servlet/samlconsumer"> <saml:Issuer>https://my.confluence.com</saml:Issuer></samlp:AuthnRequest>

Thereby, authentication requests to IdPs that require the signature will fail with this error:

ERROR [http-nio-8017-exec-11] [onelogin.saml2.authn.SamlResponse] isValid The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Requester -> Signature required

is cloned from

CONFSERVER-59097 SAML AuthnRequest should be signed

Gathering Interest

is related to

JRASERVER-71288 SAML authentication assertions and responses should be signed

Gathering Interest

SAMLDC-40 Assertion encryption

Under Consideration

relates to

SAMLDC-112 As an administrator I would like to configure HTTP POST binding on AuthnRequest for SP initiated authentication flow

Gathering Interest

mentioned in: Page Failed to load; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(4 mentioned in)

Form Name

Mateusz Miodek added a comment - 23/May/2024 2:27 PM

We are planning to explore this issue around August or September. Once we have assessed the effort involved, we will determine whether it will be included in the roadmap.

Mateusz Miodek added a comment - 23/May/2024 2:27 PM We are planning to explore this issue around August or September. Once we have assessed the effort involved, we will determine whether it will be included in the roadmap.

rtkachuk (Inactive) added a comment - 21/Jun/2023 7:39 AM

The ticket was parked due to technical restrictions
https://github.com/SAML-Toolkits/java-saml/issues/252

rtkachuk (Inactive) added a comment - 21/Jun/2023 7:39 AM The ticket was parked due to technical restrictions https://github.com/SAML-Toolkits/java-saml/issues/252

Yoann BETZI added a comment - 19/May/2023 4:12 PM

Hello,

I see that this suggestion has been In progress since April 2021 (a bit more than 2 years). Do you have an idea of when it should be delivered and in which versions of Confluence or Jira DC?

Thank you for your feedback.

Yoann BETZI added a comment - 19/May/2023 4:12 PM Hello, I see that this suggestion has been In progress since April 2021 (a bit more than 2 years). Do you have an idea of when it should be delivered and in which versions of Confluence or Jira DC? Thank you for your feedback.

Edouard Postel added a comment - 07/Jun/2022 9:38 AM

Hello guys,

We need more and more to improve our security, can you tell us when you think release this change ?

Thanks in advance.

Edouard Postel added a comment - 07/Jun/2022 9:38 AM Hello guys, We need more and more to improve our security, can you tell us when you think release this change ? Thanks in advance.

N added a comment - 28/Feb/2021 11:23 AM - edited

Please permit SAML requests to be digitally signed for Atlassian products.

SAML request signing is a part of the SAML standard; and not having it opens a security hole that can be easily fixed by enabling SAML request signing.

N added a comment - 28/Feb/2021 11:23 AM - edited Please permit SAML requests to be digitally signed for Atlassian products. SAML request signing is a part of the SAML standard; and not having it opens a security hole that can be easily fixed by enabling SAML request signing.

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Mateusz Miodek added a comment - 23/May/2024 2:27 PM

Expand comment: Mateusz Miodek added a comment - 23/May/2024 2:27 PM

Collapse comment: rtkachuk (Inactive) added a comment - 21/Jun/2023 7:39 AM

Expand comment: rtkachuk (Inactive) added a comment - 21/Jun/2023 7:39 AM

Collapse comment: Yoann BETZI added a comment - 19/May/2023 4:12 PM

Expand comment: Yoann BETZI added a comment - 19/May/2023 4:12 PM

Collapse comment: Edouard Postel added a comment - 07/Jun/2022 9:38 AM

Expand comment: Edouard Postel added a comment - 07/Jun/2022 9:38 AM

Collapse comment: N added a comment - 28/Feb/2021 11:23 AM, Edited by N - 28/Feb/2021 11:24 AM

Expand comment: N added a comment - 28/Feb/2021 11:23 AM, Edited by N - 28/Feb/2021 11:24 AM

People

Dates