Skip to content

sources/saml: Fix signature verification order to accommodate encrypted assertions#19593

Merged
PeshekDotDev merged 2 commits intomainfrom
saml-signature-encryption
Jan 20, 2026
Merged

sources/saml: Fix signature verification order to accommodate encrypted assertions#19593
PeshekDotDev merged 2 commits intomainfrom
saml-signature-encryption

Conversation

@PeshekDotDev
Copy link
Contributor

@PeshekDotDev PeshekDotDev commented Jan 20, 2026

Details

Since decrypting saml changes its structure, verifying the signature of the response must happen before decryption

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make docs)

@PeshekDotDev PeshekDotDev self-assigned this Jan 20, 2026
@PeshekDotDev PeshekDotDev requested a review from a team as a code owner January 20, 2026 02:05
@netlify
Copy link

netlify bot commented Jan 20, 2026

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 794284d
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/696ee2de17917c0008e3b715
😎 Deploy Preview https://deploy-preview-19593--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov
Copy link

codecov bot commented Jan 20, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 96.29630% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 93.27%. Comparing base (083b61c) to head (37ec60b).
⚠️ Report is 18 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
authentik/sources/saml/processors/response.py 96.29% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #19593      +/-   ##
==========================================
+ Coverage   93.26%   93.27%   +0.01%     
==========================================
  Files         949      949              
  Lines       52069    52068       -1     
==========================================
+ Hits        48560    48565       +5     
+ Misses       3509     3503       -6
Flag Coverage Δ
conformance 38.26% <18.51%> (+<0.01%) ⬆️
e2e 44.09% <25.92%> (+0.01%) ⬆️
integration 23.20% <0.00%> (+<0.01%) ⬆️
unit 91.51% <96.29%> (+<0.01%) ⬆️
unit-migrate 91.54% <96.29%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@PeshekDotDev PeshekDotDev mentioned this pull request Jan 20, 2026
Closed
6 tasks
@PeshekDotDev PeshekDotDev changed the title sources/saml: Fix signature verification order on encrypted responses sources/saml: Fix signature verification order to accommodate encrypted assertions Jan 20, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 20, 2026
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-37ec60b69f70dd237a07140b8c6735356b62f887
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-37ec60b69f70dd237a07140b8c6735356b62f887

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu
type hints
37ec60b 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
BeryJu
BeryJu approved these changes Jan 20, 2026
View reviewed changes
Copy link
Member

@BeryJu BeryJu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, added some type hints where applicable

@github-project-automation github-project-automation bot moved this from Todo to In Progress in authentik Core Jan 20, 2026
@PeshekDotDev PeshekDotDev added the backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 label Jan 20, 2026
@PeshekDotDev PeshekDotDev merged commit 1ddf4f8 into main Jan 20, 2026
102 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in authentik Core Jan 20, 2026
@PeshekDotDev PeshekDotDev deleted the saml-signature-encryption branch January 20, 2026 14:58
authentik-automation bot pushed a commit that referenced this pull request Jan 20, 2026
@PeshekDotDev @BeryJu @authentik-automation
sources/saml: Fix signature verification order to accommodate encrypt…
f6ed8bb 
…ed assertions (#19593)

* sources/saml: Fix signature verificaiton order on encrypted responses

* type hints

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
@authentik-automation authentik-automation bot mentioned this pull request Jan 20, 2026
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Jan 20, 2026

🍒 Cherry-pick to version-2025.12 created: #19614

BeryJu added a commit that referenced this pull request Jan 20, 2026
@authentik-automation @PeshekDotDev @BeryJu
sources/saml: Fix signature verification order to accommodate encrypt…
383d3b8 
…ed assertions (cherry-pick #19593 to version-2025.12) (#19614)

sources/saml: Fix signature verification order to accommodate encrypted assertions (#19593)

* sources/saml: Fix signature verificaiton order on encrypted responses

* type hints



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
kensternberg-authentik added a commit that referenced this pull request Jan 20, 2026
@kensternberg-authentik
Merge branch 'main' into pawed
2f4c9c5 
* main: (191 commits)
  sources/saml: Fix signature verification order to accommodate encrypted assertions (#19593)
  providers/saml: fix structure of encrypted saml assertion (#19592)
  providers/saml: allow encryption certificates without private keys (#19526)
  integrations: add saml steps to mattermost (#19590)
  policies: fix Provider's authentication_flow not used when set (#19609)
  web: bump type-fest from 5.4.0 to 5.4.1 in /web (#19473)
  endpoints: fix endpoints stage marked as enterprise (#19607)
  core: bump selenium from 4.39.0 to 4.40.0 (#19564)
  core: bump goauthentik.io/api/v3 from 3.2026020.11 to 3.2026020.12 (#19594)
  core: bump openapitools/openapi-generator-cli from v7.18.0 to v7.19.0 in /scripts/api (#19595)
  core: bump fido2 from 2.1.0 to 2.1.1 (#19596)
  web: bump @sentry/browser from 10.34.0 to 10.35.0 in /web in the sentry group across 1 directory (#19597)
  core: bump aws-cdk-lib from 2.235.0 to 2.235.1 (#19598)
  web: bump the eslint group across 1 directory with 3 updates (#19599)
  web: bump the rollup group across 1 directory with 4 updates (#19600)
  web: bump the swc group across 1 directory with 12 updates (#19601)
  web: bump pino from 10.2.0 to 10.2.1 in /web (#19602)
  web: bump knip from 5.81.0 to 5.82.1 in /web (#19603)
  tests: improve e2e/integration test reliability (#19540)
  web: update @goauthentik/api (#19542)
  ...
@ikob ikob mentioned this pull request Jan 21, 2026
Merged
6 tasks
BeryJu pushed a commit that referenced this pull request Jan 27, 2026
@ikob
sources/saml: Add testcases for PR #19593 (#19647)
08cbd17 
Add some test fixtures.
kensternberg-authentik added a commit that referenced this pull request Jan 31, 2026
@kensternberg-authentik
Merge branch 'main' into dev
ea188ee 
* main: (45 commits)
  sources/saml: Add testcases for PR #19593 (#19647)
  revert: website/integrations: wazuh: Change exchange key generation to 64 bytes (#19759)
  web: bump API Client version (#19760)
  core: bump djangoql from 0.18.2 to 0.19.1 (#19780)
  web: Vendor SFE Bootstrap (#19766)
  core, web: update translations (#19717)
  web: bump the eslint group across 1 directory with 3 updates (#19782)
  web: bump the react group across 1 directory with 2 updates (#19784)
  web: bump country-flag-icons from 1.6.8 to 1.6.9 in /web (#19785)
  providers/oauth2: Support login_hint (#19498)
  admin/files: add centralized theme variable support for file URLs (#19657)
  core: bump github.com/pires/go-proxyproto from 0.9.1 to 0.9.2 (#19778)
  core: bump openapitools/openapi-diff from 2.1.6 to 2.1.7 in /scripts/api (#19779)
  core: bump gssapi from 1.10.1 to 1.11.1 (#19781)
  ci: bump actions/attest-build-provenance from 3.1.0 to 3.2.0 (#19783)
  website/docs: endpoint devices: fix local device login (#19698)
  web: Enforce `challenge` nullish types. (#19768)
  web/elements: stabilize dual-select status height (#19734)
  web/a11y: CAPTCHA Stage Form (#19670)
  web/table: align row action icons and tooltip color (#19736)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

@PeshekDotDev PeshekDotDev

Labels

backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12

Projects

authentik Core
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PeshekDotDev @BeryJu