[BUG] When validating the SAML Response, it is assumed that the SAML Response ID attribute is the same as the SAML Assertion ID attribute

Hello,

I'm using Auth0 as the Identity Provider for my project. When Auth0 sends my app a SAML Response, the ID attribute of the samlp:Response element doesn't match the ID saml:Assertion element.

e.g.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_05c1cd292f39027f463a" Version="2.0" IssueInstant="2022-11-10T21:53:21.890Z" Destination="https://localhost:8446/saml/callback">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        Auth0
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_FSCsC9u7rraXQLZ8UoU9AxBHbbBxApnd" IssueInstant="2022-11-10T21:53:21.827Z">
        <saml:Issuer>
            Auth0
        </saml:Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                ...
            </SignedInfo>
            <SignatureValue>
                ...
            </SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>
                       ... 
                    </X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
    </saml:Assertion>
</samlp:Response>

I'm getting an error Invalid document signature when calling passport.authenticate().

I've stepped through the code and can see that you assume these IDs are the same.

saml.ts - line 690

let validSignature = false;
if (validateSignature(xml, doc.documentElement, certs)) {
  validSignature = true;
}

if (this.options.wantAuthnResponseSigned === true && validSignature === false) {
  throw new Error("Invalid document signature");
}

The error is being thrown because validSignature is false.

Looking at the validateSignature() method, the XPath is looking for a descendant (i.e. the Assertion element) with a matching ID to the root element (i.e. the SAML Response element).

xml.js - line 82

const xpathSigQuery =
  ".//*[" +
  "local-name(.)='Signature' and " +
  "namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#' and " +
  "descendant::*[local-name(.)='Reference' and @URI='#" +
  currentNode.getAttribute("ID") +
  "']" +
  "]";
const signatures = xpath.selectElements(currentNode, xpathSigQuery);
// This function is expecting to validate exactly one signature, so if we find more or fewer
//   than that, reject.
if (signatures.length !== 1) {
  return false;
}

Please could you amend your XPath so that it doesn't make this assumption?

Thanks,

Ben

[srd90]

@BenBullock1992 You did not provide any passport-saml, node-saml, @node-saml/passport-saml or @node-saml/node-saml version number.

By looking at copy pasted example codes those must be have come from version node-saml >= 4.0.0-beta.5 which introduced #83 and #177. see:

1. v4.0.0/CHANGELOG.md#v400-beta5-2022-10-11 regarding major changes
2. v4.0.0/README.md#config-parameter-details regarding wantAssertionsSigned and wantAuthnResponseSigned

Based on example document you copy pasted Auth0 does not seem to be configured to sign top level document (only assertion). passport-saml/node-saml's default is now to fail hard if top level signature doesn't match. You have option to modify auth0 side configurations to sign top level document and/or assertion (if auth0 supports such configuration) or modify passport-saml/node-saml configuration accordingly (to match what has been configured to auth0 side).

[srd90]

@BenBullock1992 furthermore regarding title you choosed to this bug report:

When validating the SAML Response, it is assumed that the SAML Response ID attribute is the same as the SAML Assertion ID attribute

passport-saml or node-saml would have never worked if it would have expected that two XML elements have XML ID attribute with same value. XML spec doesn't allow that. Value of the ID must be document wide unique (and SAML spec adds few extra requirements to it but from title's point of view XML spec is already against such situation).

[cjbarth]

Thank you @srd90 , your comments well describe the problem. Closing.

Thanks for explaining @srd90, this makes perfect sense now!

Thanks @cjbarth for closing too :).