Version 0.4.0 of the Kentor.AuthServices SAML2 package for ASP.NET is now released. The release contains an important security fix and some other improvements.
- Improved verification of XML signatures to mitigate assertion injection.
- Support for signed assertions.
- Validates InResponseTo on incoming responses.
- Support for SAML2 Http Post binding.
Improved Verification of XML Signatures
All previous versions of Kentor.AuthServices have a flaw in how the XML signatures on assertions are verified. It might be possible to use the flaw to take a signature from a response received by an Idp and use it when crafting another response. The error is that the reference of the signature is not correctly verified to be set to the entire message.
This is now fixed and all existing installations should be upgrade as soon as possible.
Support for Signed Assertions
Thanks to a contribution from “Atschirren”, there is now support for signed assertions where each assertion inside the response is signed individually instead of the entire response being signed.
Validation of InResponseTo
A Saml2 Response message contains an
InResponseTo attribute that is a reference to the
ID of message that was responded to. Typically the Idp sets the attribute to be the
Id of the
AuthnRequest recevied from the service provider.
If there is an
InResponseTo attribute it is no verified that it corresponds to an
ID of an
AuthnRequest that has been issued by the service provider and that only one response is received for each
InResponseTo mechanism is part of the in depth security measures of the SAML2 protocol. It is not strictly required to make the validation of messages secured; the signature of the messages is the ultimate security foundation of SAML2, but validating
InResponseTo is an extra defence against replay attacks.
Breaking Change to Configuration
There is now a new required attribute in the configuration in the idp element that indicates if unsolicited authentication responses are allowed. If set to
true the service provider will accept responses without
InResponseTo. If set to
false there must be a
InResponseTo for the response to be accepted. Note that if a code>InResponseTo attribute is present it must always be valid, even though
allowUnsolicitedAuthnResponse is set to
<identityProvider issuer ="https://idp.example.com" destinationUri="https://idp.example.com" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
Support for SAML2 Http Post Binding
There is now complete support for the http post binding. AuthServices has accepted incoming messages through http post since the early days, but it now also supports sending messages over http post.
The corresponding MVC package is also updated with a new version. There are no real updates to that package other than the dependency on 0.4.0 of the core library. But the way nuget's version resolution of dependencies work this will make it more clear that an update is needed for those that use the MVC package.
There is more work under way with the ambition to improve AuthServices to not only handle a single Idp but also be able to be part of a federation. The intention is to add the following features.
- Publishing SP metadata.
- Consuming Idp metadata.
- Consuming federation metadata
- Compatibility with ASP.NET Identity as an OWIN middleware.