Description
Code Version
7.0.1
Expected Behavior
With saml2_backend.yaml config.sp_config.services.sp.authn_requests_signed set to True, an AuthnRequest should get signed only with a detached signature in http_redirect_message.
Current Behavior
An AuthnRequest gets signed with an embedded signature in entity.py _message, and also gets a detached signature in http_redirect_message.
Possible Solution
The Entity _message method looks at the sign parameter and should_sign attribute - and when in determines the message should be sign, it creates an embedded XML signature.
While this is the right thing for the general case, it is not suitable for messages sent over BINDING_HTTP_REDIRECT (binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect), as they get a detached signature.
I thought about solving this in client_base.py create_authn_request by setting sign=False if the binding is BINDING_HTTP_REDIRECT - but this method is actually NOT receiving the binding the current call runs over, it only gets the binding the response should be sent over.
One option would be to change the signature of create_authn_request to also accept current_binding as a named parameter - and suppress signing based on that.
I have been able to force the correct behaviour in SATOSA directly by changing satosa.backends.saml2 authn_request to supress signing of the AuthnRequest message object for Redirect binding:
req_id, req = self.sp.create_authn_request(
destination, binding=response_binding,
sign = False if binding == BINDING_HTTP_REDIRECT else None,
**kwargs
)
... but I think it should be solved in pysaml2.
Your toughts, @c00kiemon5ter ?
Cheers,
Vlad
Steps to Reproduce
- Deploy pysaml2 as SP (e.g., as SATOSA backend)
- Enable AuthnRequest signing (
authn_requests_signed = true). - Initiate an AuthnRequest to an IdP
- The request will be double-signed.