Bug 1017219

Summary: Add digital signatures to SAML assertions in Overlord SAML Bearer Token Auth
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Eric Wittmann <eric.wittmann>
Component: DT GovernanceAssignee: Nobody <nobody>
Status: VERIFIED --- QA Contact: Matej Melko <mmelko>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: ldimaggi, sbunciak, soa-p-jira
Target Milestone: CR1   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Wittmann 2013-10-09 13:00:05 UTC 
Description of problem:
Currently the SAML assertion used as proof of identity when performing SAML Bearer Token authentication is not being digitally signed.  Digital signatures are a necessary piece of authenticating in this way...without signatures this form of authentication is not secure.

How reproducible:
Always

Steps to Reproduce:
1. Install dtgov/s-ramp/rtgov
2. Log in to any overlord UI
3. Perform any user action that requires server data :)

Actual results:
Behind the scenes SAML bearer token auth is used when invoking overlord REST services on behalf of the logged-in user.  The SAML assertion used is not signed.

Expected results:
The SAML assertion needs to be signed.

Additional info:
Fixing this requires a java keystore shared between the authentication provider creating the saml assertion (e.g. s-ramp UI) and the authentication login module consuming/verifying the saml assertion (e.g. s-ramp-server).
Comment 2 Eric Wittmann 2013-10-29 13:36:58 UTC 
The overlord apps now support digitally signing the SAML Assertions when performing SAML Bearer Token authentication.  This must be configured in both the clients (sramp-ui.properties, dtgov-ui.properties, gadget-server.properties, etc) and on the server (standalone.xml).

A java keystore must be created and populated with a keypair used to sign the saml assertions (client-side) and to verify the signature (server-side).

This has been documented in mojo to be referenced by interested/relevant parties.

Assigning to thauser to complete the prod installer changes.
Comment 3 Thomas Hauser 2014-01-15 21:39:10 UTC 
I believe I missed this one. This should definitely be present in any post beta build.
Comment 4 Thomas Hauser 2014-01-15 22:18:31 UTC 
I believe I missed this one. This should definitely be present in any post beta build.
Comment 5 Stefan Bunciak 2014-01-16 09:09:30 UTC 
Verified in FSW 6.0.0.CR1