Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-57

SAML AuthnRequest should be signed

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • SSO

      Although the official SAML standards do not require it, many IdPs require a signed AuthNRequest for security reasons.

      However, Confluence DC (with the Atlassian SAML SSO plugin) is sending an auth request like this one and doesn't have an option to sign it:

      DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest -->2019-11-06 10:34:38,997 DEBUG [http-nio-8017-exec-7] [onelogin.saml2.authn.AuthnRequest] <init> AuthNRequest --><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_cc1deb92-97e7-451c-abd2-0bf93ddbd382" Version="2.0" IssueInstant="2019-11-06T18:34:38Z" Destination="https://my.idp.com/idp/SSO.saml2" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://my.confluence.com/plugins/servlet/samlconsumer"> <saml:Issuer>https://my.confluence.com</saml:Issuer></samlp:AuthnRequest>

      Thereby, authentication requests to IdPs that require the signature will fail with this error:

      ERROR [http-nio-8017-exec-11] [onelogin.saml2.authn.SamlResponse] isValid The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Requester -> Signature required

            [SAMLDC-57] SAML AuthnRequest should be signed

            Mateusz Miodek added a comment -

            We are planning to explore this issue around August or September. Once we have assessed the effort involved, we will determine whether it will be included in the roadmap.

            Mateusz Miodek added a comment - We are planning to explore this issue around August or September. Once we have assessed the effort involved, we will determine whether it will be included in the roadmap.

            rtkachuk (Inactive) added a comment -

            The ticket was parked due to technical restrictions 
            https://github.com/SAML-Toolkits/java-saml/issues/252

            rtkachuk (Inactive) added a comment - The ticket was parked due to technical restrictions  https://github.com/SAML-Toolkits/java-saml/issues/252

            Yoann BETZI added a comment -

            Hello,

            I see that this suggestion has been In progress since April 2021 (a bit more than 2 years). Do you have an idea of when it should be delivered and in which versions of Confluence or Jira DC?

            Thank you for your feedback.

            Yoann BETZI added a comment - Hello, I see that this suggestion has been In progress since April 2021 (a bit more than 2 years). Do you have an idea of when it should be delivered and in which versions of Confluence or Jira DC? Thank you for your feedback.

            Edouard Postel added a comment -

            Hello guys,

            We need more and more to improve our security, can you tell us when you think release this change ?

             

            Thanks in advance.

            Edouard Postel added a comment - Hello guys, We need more and more to improve our security, can you tell us when you think release this change ?   Thanks in advance.

            N added a comment - - edited

            Please permit SAML requests to be digitally signed for Atlassian products.

            SAML request signing is a part of the SAML standard; and not having it opens a security hole that can be easily fixed by enabling SAML request signing.

            N added a comment - - edited Please permit SAML requests to be digitally signed for Atlassian products. SAML request signing is a part of the SAML standard; and not having it opens a security hole that can be easily fixed by enabling SAML request signing.

              0faddb3cd3b1 Mateusz Miodek
              lmachado@atlassian.com Lucas Machado (Inactive)
              Votes:
              46 Vote for this issue
              Watchers:
              41 Start watching this issue

                Created:
                Updated: