Version 0.4.0 of the Kentor.AuthServices SAML2 package for ASP.NET is now released. The release contains an important security fix and some other improvements.

Contents

• Improved verification of XML signatures to mitigate assertion injection.
• Support for signed assertions.
• Validates InResponseTo on incoming responses.
• Support for SAML2 Http Post binding.

Improved Verification of XML Signatures

All previous versions of Kentor.AuthServices have a flaw in how the XML signatures on assertions are verified. It might be possible to use the flaw to take a signature from a response received by an Idp and use it when crafting another response. The error is that the reference of the signature is not correctly verified to be set to the entire message.

This is now fixed and all existing installations should be upgrade as soon as possible.

Support for Signed Assertions

Thanks to a contribution from “Atschirren”, there is now support for signed assertions where each assertion inside the response is signed individually instead of the entire response being signed.

Validation of InResponseTo

A Saml2 Response message contains an InResponseTo attribute that is a reference to the ID of message that was responded to. Typically the Idp sets the attribute to be the Id of the AuthnRequest recevied from the service provider.

If there is an InResponseTo attribute it is no verified that it corresponds to an ID of an AuthnRequest that has been issued by the service provider and that only one response is received for each AuthnRequest. The InResponseTo mechanism is part of the in depth security measures of the SAML2 protocol. It is not strictly required to make the validation of messages secured; the signature of the messages is the ultimate security foundation of SAML2, but validating InResponseTo is an extra defence against replay attacks.

Breaking Change to Configuration

There is now a new required attribute in the configuration in the idp element that indicates if unsolicited authentication responses are allowed. If set to true the service provider will accept responses without InResponseTo. If set to false there must be a InResponseTo for the response to be accepted. Note that if a code>InResponseTo attribute is present it must always be valid, even though allowUnsolicitedAuthnResponse is set to true.

<identityProvider issuer ="https://idp.example.com" destinationUri="https://idp.example.com" 
                    allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">

Support for SAML2 Http Post Binding

There is now complete support for the http post binding. AuthServices has accepted incoming messages through http post since the early days, but it now also supports sending messages over http post.

Additional Notes

The corresponding MVC package is also updated with a new version. There are no real updates to that package other than the dependency on 0.4.0 of the core library. But the way nuget’s version resolution of dependencies work this will make it more clear that an update is needed for those that use the MVC package.

The exact details of what’s changed in the release can be found in the 0.4.0 milestone on github and the 0.4.0 tag.

Roadmap

There is more work under way with the ambition to improve AuthServices to not only handle a single Idp but also be able to be part of a federation. The intention is to add the following features.

• Publishing SP metadata.
• Consuming Idp metadata.
• Consuming federation metadata
• Compatibility with ASP.NET Identity as an OWIN middleware.