SAML Provider: Unable to sign both assertions and response.

[dcortez]

Describe the bug

When enabling the option to sign both assertions and the response, both fail to validate the signature and the same goes when just trying to sign the response rather than both or just assertions.

To Reproduce
Steps to reproduce the behavior:

1. Using Authentik as the IDP: create a provider and application for samltest.io and be sure to set the Signing Certificate and options to sign both assertions and responses.
2. Under the application, press "Launch" (or visit it from the "User Interface)
3. Scroll down to the "SAML Info" section and you will be shown a signature section
4. See error of "Response not signed" and "Invalid Signature" for assertions.
   4a. If you expand the "Invalid Signature" message, notice the error regarding "Cryptographic error: Cannot get object by reference".
   4b. If you change the options to only sign assertions in step 1 and replay steps 2-3, you will see a valid signature.
   4c. If you change the options to only sign the response in step 1, you will notice the Assertion error is the same as step 4a with "Not Signed" for the response.

Expected behavior
Both assertions and responses should be able to be signed independently and should not cause one or the other to fail validation. In this case, it appears the signature for both is only being served under the Response/Assertion/Signature node whereas the signature should fall under Response/Signature and Response/Assertion/Signature respectively for Responses and Assertions.

Screenshots

If needed, I can provide better screenshots of the configuration and the results from samltool.io (redacted of course), but the steps to reproduce are easy enough, it shouldn't be needed.

Logs

I'm unsure what logs you would like to have posted since it is not crashing or causing log entries in the normal sense. This is more of a feature that needs some polishing to take it over the finish line.

Version and Deployment:

• authentik version: 2024.10.4
• Deployment: docker-compose

Additional context

N/A, but feel free to ask for more information that you feel I may not have provided.

-DC

[Th0masDB]

Unfortunately, I can confirm that this bug is also present in 2024.12.0. (I tested it also with samltest.io and in yu-i-i/overleaf-cep#14)

[danohn]

This bug is causing a serious issue since one of the SP's I use requires both the assertions and responses to be signed. @BeryJu is there a possibility to have this bug fixed in the next release?

[danohn]

Hoping this will get fixed soon as it's currently impacting a project deployment.

[danohn]

It looks like support for signed assertions and responses was in #10934.

[danohn]

Thank you @BeryJu , I can confirm 2024.12.2 has fixed the issue 🎉

[dcortez]

I've only confirmed via samltool.io and it works as expected now. A huge thank you @BeryJu!