• Eric Chiang's avatar
    connector/saml: fix validation bug with multiple Assertion elements · 59cefd98
    Eric Chiang authored
    When a SAML response provided multiple Assertion elements, only the
    first one is checked for a valid signature. If the Assertion is
    verified, the original Assertion is removed and the canonicalized
    version is prepended to the Response. However, if there were
    multiple assertions, the second assertion could end up first in the
    list of Assertions, even if it was unsigned.
    
    For example this:
    
        <Response>
          <!--
             Response unsigned. According to SAML spec must check
             assertion signature.
          -->
          <Assertion>
            <Signature>
              <!-- Correrctly signed assertion -->
            </Signature>
          </Assertion>
    
          <Assertion>
            <!-- Unsigned assertion inserted by attacker-->
          </Assertion>
        </Response>
    
    could be verified then re-ordered to the following:
    
        <Response>
          <!--
             Response unsigned. According to SAML spec must check
             assertion signature.
          -->
          <Assertion>
            <!-- Unsigned assertion inserted by attacker-->
          </Assertion>
    
          <Assertion>
            <!-- Canonicalized, correrctly signed assertion -->
          </Assertion>
        </Response>
    
    Fix this by removing all unverified child elements of the Response,
    not just the original assertion.
    59cefd98