diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java index 185da0398bf..38fc56727a2 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java @@ -254,7 +254,7 @@ private Assertion validateSaml2Response(Saml2AuthenticationToken token, } try { Assertion a = decrypt(token, ea); - validateAssertion(recipient, a, token, false); + validateAssertion(recipient, a, token, !responseSigned); return a; } catch (Saml2AuthenticationException e) { lastValidationError = e; diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationRepository.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationRepository.java index 28e88b715c5..c7d5c1f119d 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationRepository.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationRepository.java @@ -17,8 +17,8 @@ package org.springframework.security.saml2.provider.service.registration; /** - * Resolves a {@link RelyingPartyRegistration}, a configured service provider and remote identity provider pair, - * by entityId or registrationId + * Resolves a {@link RelyingPartyRegistration}, a configured service provider and remote identity provider pair + * based on a unique registrationId. * @since 5.2 */ public interface RelyingPartyRegistrationRepository { diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java index 772ed072f59..ef2ed9e5a88 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java @@ -216,12 +216,47 @@ public void authenticateWhenUsernameMissingThenThrowAuthenticationException() th } @Test - public void authenticateWhenEncryptedAssertionWithoutSignatureThenItSucceeds() throws Exception { + public void authenticateWhenEncryptedAssertionWithoutSignatureThenItFails() throws Exception { Response response = response(recipientUri, idpEntityId); Assertion assertion = defaultAssertion(); EncryptedAssertion encryptedAssertion = encryptAssertion(assertion, assertingPartyCredentials()); response.getEncryptedAssertions().add(encryptedAssertion); token = responseXml(response, idpEntityId); + exception.expect( + authenticationMatcher( + Saml2ErrorCodes.INVALID_SIGNATURE + ) + ); + provider.authenticate(token); + } + + @Test + public void authenticateWhenEncryptedAssertionWithSignatureThenItSucceeds() throws Exception { + Response response = response(recipientUri, idpEntityId); + Assertion assertion = defaultAssertion(); + signXmlObject( + assertion, + assertingPartyCredentials(), + recipientEntityId + ); + EncryptedAssertion encryptedAssertion = encryptAssertion(assertion, assertingPartyCredentials()); + response.getEncryptedAssertions().add(encryptedAssertion); + token = responseXml(response, idpEntityId); + provider.authenticate(token); + } + + @Test + public void authenticateWhenEncryptedAssertionWithResponseSignatureThenItSucceeds() throws Exception { + Response response = response(recipientUri, idpEntityId); + Assertion assertion = defaultAssertion(); + EncryptedAssertion encryptedAssertion = encryptAssertion(assertion, assertingPartyCredentials()); + response.getEncryptedAssertions().add(encryptedAssertion); + signXmlObject( + response, + assertingPartyCredentials(), + recipientEntityId + ); + token = responseXml(response, idpEntityId); provider.authenticate(token); } diff --git a/samples/boot/saml2login/src/integration-test/java/org/springframework/security/samples/Saml2LoginIntegrationTests.java b/samples/boot/saml2login/src/integration-test/java/org/springframework/security/samples/Saml2LoginIntegrationTests.java index cf0c5dfd930..091f4bb197f 100644 --- a/samples/boot/saml2login/src/integration-test/java/org/springframework/security/samples/Saml2LoginIntegrationTests.java +++ b/samples/boot/saml2login/src/integration-test/java/org/springframework/security/samples/Saml2LoginIntegrationTests.java @@ -163,14 +163,15 @@ public void authenticateWhenResponseIsSignedAndAssertionIsEncryptedThenItSucceed EncryptedAssertion encryptedAssertion = OpenSamlActionTestingSupport.encryptAssertion(assertion, decodeCertificate(spCertificate)); Response response = buildResponse(encryptedAssertion); - signXmlObject(assertion, getSigningCredential(idpCertificate, idpPrivateKey, UsageType.SIGNING)); + signXmlObject(response, getSigningCredential(idpCertificate, idpPrivateKey, UsageType.SIGNING)); sendResponse(response, "/") .andExpect(authenticated().withUsername(USERNAME)); } @Test - public void authenticateWhenResponseIsNotSignedAndAssertionIsEncryptedThenItSucceeds() throws Exception { + public void authenticateWhenResponseIsNotSignedAndAssertionIsEncryptedAndSignedThenItSucceeds() throws Exception { Assertion assertion = buildAssertion(USERNAME); + signXmlObject(assertion, getSigningCredential(idpCertificate, idpPrivateKey, UsageType.SIGNING)); EncryptedAssertion encryptedAssertion = OpenSamlActionTestingSupport.encryptAssertion(assertion, decodeCertificate(spCertificate)); Response response = buildResponse(encryptedAssertion);