Skip Menu |

This queue is for tickets about the Net-SAML2 CPAN distribution.

Report information
The Basics
Id: 101358
Status: resolved
Priority: 0/
Queue: Net-SAML2
People
Owner: TIMLEGGE [...] cpan.org
Requestors: xmikew [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 0.17
Fixed in: 0.20

History Show all quoted text
  Tue Jan 06 14:44:58 2015 bitcard [...] 32ths.com - Ticket created
Subject: Signed Responses cause verification failure
If your IDP returns a SAMLResponse that has the Response and Assertion signed verification fails. Net::SAML2::XML::Sig always does //dsig:Signature etc. for xpath queries. The problem is that since the SAMLResponse that has both signed response and signed assertion when the xml gets stringified for the exponent (and others) it just concats the exponent twice. After adding //saml2:Assertion in the xpath, verification started succeeding. \- Mike
  Tue Jan 06 14:48:28 2015 bitcard [...] 32ths.com - Broken in 0.17 added
  Tue Jan 06 14:48:28 2015 bitcard [...] 32ths.com - Severity Critical added
  Thu Jan 08 16:31:25 2015 bitcard [...] 32ths.com - Correspondence added
Looks like the multiple_sig_support on github fixes this. It's not merged/released to master but works for me. I think it just needs some tests. On Tue Jan 06 14:44:58 2015, xmikew wrote: Show quoted text
> If your IDP returns a SAMLResponse that has the Response and Assertion > signed verification fails. > > Net::SAML2::XML::Sig always does //dsig:Signature etc. for xpath > queries. The problem is that since the SAMLResponse that has both > signed response and signed assertion when the xml gets stringified for > the exponent (and others) it just concats the exponent twice. After > adding //saml2:Assertion in the xpath, verification started > succeeding. > > \- Mike
  Thu Jan 08 16:31:25 2015 The RT System itself - Status changed from 'new' to 'open'
  Tue Apr 07 21:22:24 2020 TIMLEGGE [...] cpan.org - Correspondence added
On Thu Jan 08 16:31:25 2015, xmikew wrote: Show quoted text
> Looks like the multiple_sig_support on github fixes this. > It's not merged/released to master but works for me. I think it just > needs some tests. > > On Tue Jan 06 14:44:58 2015, xmikew wrote:
> > If your IDP returns a SAMLResponse that has the Response and > > Assertion > > signed verification fails. > > > > Net::SAML2::XML::Sig always does //dsig:Signature etc. for xpath > > queries. The problem is that since the SAMLResponse that has both > > signed response and signed assertion when the xml gets stringified > > for > > the exponent (and others) it just concats the exponent twice. After > > adding //saml2:Assertion in the xpath, verification started > > succeeding. > > > > \- Mike
https://github.com/timlegge/perl-Net-SAML2/issues/10 I pulled it in from the fork you did xmikew and it will ne in the next cpan release
  Tue Apr 07 21:22:53 2020 TIMLEGGE [...] cpan.org - Taken
  Mon Apr 13 22:27:41 2020 TIMLEGGE [...] cpan.org - Status changed from 'open' to 'resolved'
  Mon Apr 13 22:27:41 2020 TIMLEGGE [...] cpan.org - Fixed in 0.20 added