SAML Response without signature
Description
The application's SAML Consumer Service accepts SAML responses without validating digital signatures. SAML (Security Assertion Markup Language) is an authentication protocol that relies on signed assertions to verify the identity provider's authenticity. When signature validation is disabled or not enforced, attackers can forge SAML responses to impersonate any user, including administrators, without possessing valid credentials from the identity provider.
Remediation
Configure the SAML service provider to require and validate digital signatures on all incoming SAML responses. The specific configuration depends on your SAML library:
For Java (Spring Security SAML):
@Bean
public WebSSOProfileConsumer webSSOProfileConsumer() {
WebSSOProfileConsumerImpl consumer = new WebSSOProfileConsumerImpl();
// Require signed SAML responses
consumer.setRequireSignedAssertions(true);
return consumer;
}
For .NET (Sustainsys.Saml2):
// In Startup.cs or configuration
services.AddSaml2(options => {
options.SPOptions.AuthenticateRequestSigningBehavior = SigningBehavior.Always;
// Require signature validation on incoming responses
options.SPOptions.WantAssertionsSigned = true;
options.IdentityProviders.Add(new IdentityProvider(
new EntityId("https://idp.example.com"), options.SPOptions)
{
WantAuthnRequestsSigned = true,
// Load the IdP's signing certificate for validation
SigningKeys = { new X509Certificate2("idp-cert.cer") }
});
});
For Python (python3-saml):
settings = {
'security': {
'wantAssertionsSigned': True,
'wantMessagesSigned': True,
'signatureAlgorithm': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
}
}
Ensure the identity provider's signing certificate is properly configured and trusted by your application. Test thoroughly to verify that unsigned SAML responses are rejected.