SAML Respose signature exclusion
Description
The web application implements SAML-based authentication but fails to enforce signature validation on SAML Response messages when the Signature element is absent or removed. This configuration weakness allows the SAML Consumer Service to accept unsigned or tampered authentication assertions, enabling an attacker with valid credentials to modify SAML Response attributes (such as user roles or identity claims) and authenticate as other users or with elevated privileges.
Remediation
Configure the SAML Service Provider to strictly enforce signature validation for all SAML Response messages. Implement the following controls:
1. Require mandatory signature validation: Configure your SAML library to reject any SAML Response that lacks a valid signature. Set the signature validation mode to 'required' rather than 'optional'.
2. Validate signature presence: Before processing any SAML Response, verify that the Signature element exists and is properly formed.
3. Example configuration (using popular SAML libraries):
// For OneLogin's SAML library (PHP)
$settings = [
'security' => [
'wantMessagesSigned' => true,
'wantAssertionsSigned' => true,
'rejectUnsolicitedResponsesWithInResponseTo' => true
]
];
// For Spring Security SAML (Java)
@Bean
public SAMLContextProvider contextProvider() {
SAMLContextProviderImpl provider = new SAMLContextProviderImpl();
provider.setRequireSignature(true);
return provider;
}
4. Verify certificate trust chain: Ensure that SAML Response signatures are validated against trusted Identity Provider certificates and that certificate validation is properly configured.
5. Test the implementation: Attempt to submit SAML Responses with removed or invalid signatures to confirm they are properly rejected by the application.