IDP sending empty SignatureValue in ArtifactResponse
Cantor, Scott
cantor.2 at osu.edu
Tue Sep 17 11:51:15 EDT 2019
Just eyeballing, my supposition is that the assertion signing might be connected to the bug. The order of operations looks off to me, and I think it may be signing it a second time in a place that would corrupt the Response signature, so that would be a plausible idea. If the SP required assertion signing and the rest don't, that would explain the difference.
-- Scott
On 9/17/19, 10:12 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
On 9/17/19, 9:54 AM, "users on behalf of Malo Toudic" <users-bounces at shibboleth.net on behalf of malo.toudic at kereval.com> wrote:
> You will find the logs attached. I have anonymized the logs (URL and certificates only).
It's the ArtifactResponse that would normally be signed (if anything were signed), and it's the Response inside it that's broken.
The assertion here is also being signed, so this is a very strange "desired" result to begin with. I suspect there's a signing setting interaction with the three different layers that's getting things mixed up. It has to be something in a relying party override affecting the response signing settings to be specific to one SP.
You'd need to file a bug with a fairly complete config example and a good log trace. If you want to keep it confidential you can set the Security Level to vulnerability (not that it is one, but it would limit the visibility of the issue).
-- Scott
More information about the users
mailing list