dex/connector
Eric Chiang 59cefd987b connector/saml: fix validation bug with multiple Assertion elements
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.
2017-04-04 11:18:40 -07:00
..
github *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
gitlab *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
ldap *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
mock *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
oidc connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring 2017-03-23 14:56:34 -07:00
saml connector/saml: fix validation bug with multiple Assertion elements 2017-04-04 11:18:40 -07:00
connector.go *: validate InResponseTo SAML response field and make issuer optional 2017-03-22 13:02:44 -07:00