Using spring boot 2.7 with saml2 through opensaml4 fails

[EugenMayer]

When using mock-saml with the current spring security saml2 implementation, using opensaml4 as the protocol implementation, we end up

TypeError: Cannot read properties of undefined (reading '$')
    at extractSAMLRequestAttributes (/app/.next/server/chunks/391.js:116:52)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async processSAMLRequest (/app/.next/server/pages/api/saml/sso.js:85:72)
    at async handler (/app/.next/server/pages/api/saml/sso.js:65:20)
    at async Object.apiResolver (/app/node_modules/next/dist/server/api-utils/node.js:363:9)
    at async NextNodeServer.runApi (/app/node_modules/next/dist/server/next-server.js:488:9)
    at async Object.fn (/app/node_modules/next/dist/server/next-server.js:750:37)
    at async Router.execute (/app/node_modules/next/dist/server/router.js:253:36)
    at async NextNodeServer.run (/app/node_modules/next/dist/server/base-server.js:384:29)
    at async NextNodeServer.handleRequest (/app/node_modules/next/dist/server/base-server.js:322:20)

The entire setup is fairly basic. We did not configure AuthNSignRequest since we yet do not understand which private key to use on the client side. Should the generated key/pair that is used for response signing just used on the client to sign the request?

Thank you for the clarification

[deepakprabhakara]

Thanks for reporting this @EugenMayer. We currently only support signed requests which is why you are seeing the error. You can use any key pair to do the signing of the request, Mock SAML does not need any prior knowledge of the public key. The request signature is validated using the public key that is sent with the request to ensure it wasn't changed in transit.

[EugenMayer]

@deepakprabhakara thank you for the quick reply.

So the signature is never validated, right? We can use any private key, it just needs to be signed - did i understand this correctly?

[deepakprabhakara]

You can use any private key, the public key will get sent with the signature in the request and we use that to validate the signature. But we don't have to worry about where it came from, only that the contents are what it says it is.

[EugenMayer]

Sorry, i was not aware that AuthNRequest signing is for integrity only. Thank you a lot for the clarification!

If you like, we could close the issue

[EugenMayer]

We tried to use request signing by adding a private/public key and activating it. Still we get

TypeError: Cannot read properties of undefined (reading '$')
    at extractSAMLRequestAttributes (/app/.next/server/chunks/391.js:116:52)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async processSAMLRequest (/app/.next/server/pages/api/saml/sso.js:85:72)
    at async handler (/app/.next/server/pages/api/saml/sso.js:65:20)
    at async Object.apiResolver (/app/node_modules/next/dist/server/api-utils/node.js:363:9)
    at async NextNodeServer.runApi (/app/node_modules/next/dist/server/next-server.js:488:9)
    at async Object.fn (/app/node_modules/next/dist/server/next-server.js:750:37)
    at async Router.execute (/app/node_modules/next/dist/server/router.js:253:36)
    at async NextNodeServer.run (/app/node_modules/next/dist/server/base-server.js:384:29)
    at async NextNodeServer.handleRequest (/app/node_modules/next/dist/server/base-server.js:322:20)

I can see that the outgoing request is actually including the signature

http://localhost:45000/api/saml/sso?SAMLRequest=fZLNbsIwEIRfxdq7iRP%2BLQKiRahIVKUQeujNJAtYSmzqdVAfv2kIKm0lbrY841l%2F49Hks8jZGR1pa2IIWwIYmtRm2hxi2CZzPoDJeESqyKOTnJb%2BaNb4USJ5VhkNyctJDKUz0irSJI0qkKRP5Wb6vJRRS8iTs96mNgc2JULnq6hHa6gs0G3QnXWK2%2FUyhqP3JxkEuU1VfrTkq9VBm6BOCIhsUCjy6IDNqnhtlK9H%2FuuSna4QIlAnXTu%2FjcDm1qVYTx%2FDXuWEwBazGKbr1ygS4bAb8i6minf62Z4PskHI%2ByG228Nhr79Lh5WWVopIn%2FHHTVTiwpBXxscQiajNRZuHvUT0ZSeU3U4r6kXvwFbN0x%2B0uSC9x2l3EZF8SpIVX71sEmBv12oqATRFyDrd3TZw%2F2J1xQ7jf5AbvJceeFXVWWfoeIFeZcqrBvoouE0eN9vfP2L8BQ%3D%3D&RelayState=3ec866d4-1a7b-4ab8-9618-544b3afd82e2&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=LCePkq1eFBQua8tynMrF8JVVchiVRbG2W3nGyrORbgTEsKOHqQi3WKfJasWaGMfIfg5IoTm2vYeRZ5sh6gMqPK56RdT9V8QP3BzvDCoMXEroXxnaUEhFpeLb8tM5rDBQDUWLJUf58dNNXXhetatoXnS35Lo1xOOfjJogund1h4Tt2gbJCeito7LyQPmbKMiu7PsZwEGLEJRForggejzf8g1syNNkKA%2FWEMl3dTurBlha%2BgRoSzJunCo7qcU5oY1KZC6%2FOxgc1z%2Fe50WuEFeezsI6q8mu7lGLIB3xwpDnE6fRV5CLHfoc0r2mYxxWZCIrg55azkjBMIjsecPf3Jwbmg%3D%3D

Maybe the actual auth request does miss something you expect, deflated/decoded it is

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  AssertionConsumerServiceURL="http://localhost/login/saml2/sso/master"
  Destination="http://localhost:45000/api/saml/sso" ForceAuthn="false" ID="ARQbedf3fc-d18c-45d4-8242-43be3411739e"
  IsPassive="false" IssueInstant="2023-03-16T07:30:31.114Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    http://localhost/saml2/service-provider-metadata/master
  </saml2:Issuer>
</saml2p:AuthnRequest>

[deepakprabhakara]

Aah, this is related to #143

[EugenMayer]

closing a dupe then