Signature of metadata is in the incorrect spot

[waterkip]

Because of the renewed development on Net::SAML2 I'm rewriting parts of our old Net::SAML2 implementation. I'm currently hitting a a bug in Net::SAML2 (git/cpan version 0.55).

According to the specs¹² the xpath to the signature element should be something like this:

/md:EntityDescriptor/ds:Signature

In Net::SAML2 this is not the case and the signature is found in:

/md:EntityDescriptor/md:SPSSODescriptor/ds:Signature

Footnotes

1. https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf ↩

2. https://en.wikipedia.org/wiki/SAML_metadata ↩

[timlegge]

Hi @waterkip

It is great to see you active again with Net::SAML2 again. This is an issue at:

perl-Net-SAML2/lib/Net/SAML2/SP.pm

Line 333 in c2e49e4

ID => generate_id()},

If the ID was generated at

perl-Net-SAML2/lib/Net/SAML2/SP.pm

Line 326 in c2e49e4

entityID => $self->id },

it would likely be fine.

The other fix is to modify XML::Sig to allow it to sign specific IDs and then modify this to sign just the ID for the md:EntityDescriptor

I can assign to me (or to you). I have been wondering what to work on lately but a PR is fine if you have time

Tim
Tim

[waterkip]

I'll work on a testsuite thing and than I'll look into a PR later.

For reference, this is the bug exposed in the testsuite.
https://github.com/waterkip/perl-Net-SAML2/tree/bug-61

[timlegge]

On a related note have you looked at the "improvements" I made to the testapp? It now allows you to easily test against multiple IdPs.

[waterkip]

No, I haven't. I did have a jab at autogenerating certs before/after a testsuite run. It requires openssl on the CLI tho, so maybe not that useful for Net::SAML2

[timlegge]

See https://github.com/perl-net-saml2/perl-Net-SAML2/blob/master/xt/testapp/README.md