No SAML Respose signature check
Description
The web application implements SAML (Security Assertion Markup Language) for authentication but fails to validate the digital signature of SAML Response messages at the Consumer Service endpoint.
Without signature verification, an authenticated attacker can forge or manipulate SAML assertions to impersonate other users, including administrators, or modify user attributes such as roles and permissions. This fundamentally breaks the trust model that SAML authentication relies upon.
Remediation
Configure the SAML service provider to enforce strict signature validation for all SAML Response messages. Implement the following controls:
1. Enable signature validation in your SAML library configuration:
// Example for popular SAML libraries:
// Java (Spring Security SAML)
samlConfig.setWantAssertionsSigned(true);
samlConfig.setWantResponseSigned(true);
// Python (python3-saml)
settings = {
'security': {
'wantAssertionsSigned': True,
'wantMessagesSigned': True,
'signatureAlgorithm': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
}
}
// .NET (Sustainsys.Saml2)
options.SPOptions.WantAssertionsSigned = true;
options.SPOptions.ValidateCertificates = true;
2. Verify the signature against the Identity Provider's certificate: Ensure your application has the correct IdP signing certificate configured and validates it during SAML response processing.
3. Reject unsigned or invalidly signed responses: Configure the SAML consumer to immediately reject any SAML response that lacks a valid signature or fails signature verification.
4. Use secure signature algorithms: Require SHA-256 or stronger hashing algorithms (avoid SHA-1 or MD5).
5. Test the implementation: Verify that modified or unsigned SAML responses are properly rejected by attempting to authenticate with tampered assertions.