ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nimish Telang <>
Subject Signed SAML tokens generate incomplete SignatureConfirmation results -- bug?
Date Sat, 07 Sep 2019 18:10:38 GMT
Hi all,

If we enable signature confirmation element generation, the SignatureConfirmation Action will
generate Elements for every signature including signed SAML assertions/tokens. This has a
few issues, namely:

  1.  The SAML assertion processor does not add a “signature-value” ( WSSecurityEngineResult.TAG_SIGNATURE_VALUE)
so the signature confirmation associated with the signed assertion has no attribute value,
which according to the spec, is: “If this attribute is specified with an empty value, the
initiator SHOULD interpret this as incorrect behavior and process accordingly”
  2.  A signatureconfirmation must be generated for every ds:Signature processed including,
as far as I can tell, a signed saml assertion.

This results in bogus signatureconfirmations. I don’t know which part is wrong, but I do
know a signature confirmation w/o a value is busted.

Based on reading the source, the SAMLTokenSigned processor should fill in the signature value.


View raw message