WANT_ASSERTIONS_SIGNED not working

Question

WANT_ASSERTIONS_SIGNED not working

trae-horton opened this issue 2 years ago · 1 comments

Summary

I apologize if this is a configuration issues, but after attempting to fix this for over a week and reading all the documentation I feel like there is an issue with 'WANT_RESPONSE_SIGNED': True, not actually taking affect. I have also tried removing 'WANT_RESPONSE_SIGNED': True, from the config as this library should default to wanting the SAML Response to be signed.

Background

To give a little bit of background, I have a Django app acting as the SP. Everything works with the SAML login, I browse to my Django app, get redirected to the IdP, enter in the SAML creds, get redirected to the Django app, and now have they attributes from the SAML account in Django. The IdP is sending an XML response properly signed via the metadata file, however I can "strip" that signiture from the SAML Request and the Django app happily grants me with a session ID.

Issue

This can allow an actor to "spoof" their SAML attributes causing the app to grant privileged escalation depending on the Django app.

Screenshots of SAML Raider

This request gets a valid sessionid with the Response being Signed from the IdP. This is expected behavior.

This request has the signature remove by pressing "Remove Signatures". As we can see we still get a valid sessionid. This is bad.

Framework

Python version : 3.9.16
Django version : 3.2.18
django-saml2-auth version : 3.9.0

SAML Config

SAML2_AUTH = {
    'METADATA_LOCAL_FILE_PATH': 'metadatadev.xml',
    'DEFAULT_NEXT_URL': '/',
    'CREATE_USER': True,
    "NEW_USER_PROFILE": {
        "USER_GROUPS": [],
        "ACTIVE_STATUS": True,
        "STAFF_STATUS": False,
        "SUPERUSER_STATUS": False
    },
    'ATTRIBUTES_MAP': {
        'email': 'email',
	'username': 'UserName',
	'first_name': 'FirstName',
        'last_name': 'LastName',
        #'token': 'Token',
    },

    'ENTITY_ID': 'example.net',

    'USE_JWT': False,
    'FRONTEND_URL': 'https://example.net',
    'LOGIN_CASE_SENSITIVE': False,
    'AUTHN_REQUESTS_SIGNED': True,
    'LOGOUT_REQUESTS_SIGNED': True,
    'WANT_ASSERTIONS_SIGNED': True,
    'WANT_RESPONSE_SIGNED': True,
    "ALLOWED_REDIRECT_HOSTS": ["https://app.example.com",
                               "https://api.example.com",
                               "https://example.com"],
    "TOKEN_REQUIRED": True
}

If anyone can help me with some guidance on how to fix this that would be awesome. I am thinking of trying to use the "raw" pysaml library but don't want to run into the same issue if this is something wrong with my app. Thanks for the help!

Answer 1 · 2023-03-22T19:32:34.000Z

This ended up not being an issue with this code base.