Bug 1017219 - Add digital signatures to SAML assertions in Overlord SAML Bearer Token Auth
Add digital signatures to SAML assertions in Overlord SAML Bearer Token Auth
Status: VERIFIED
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: DT Governance (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity high
: CR1
: 6.0.0
Assigned To: Thomas Hauser
Matej Melko
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-09 09:00 EDT by Eric Wittmann
Modified: 2015-11-02 03:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Wittmann 2013-10-09 09:00:05 EDT
Description of problem:
Currently the SAML assertion used as proof of identity when performing SAML Bearer Token authentication is not being digitally signed.  Digital signatures are a necessary piece of authenticating in this way...without signatures this form of authentication is not secure.

How reproducible:
Always

Steps to Reproduce:
1. Install dtgov/s-ramp/rtgov
2. Log in to any overlord UI
3. Perform any user action that requires server data :)

Actual results:
Behind the scenes SAML bearer token auth is used when invoking overlord REST services on behalf of the logged-in user.  The SAML assertion used is not signed.

Expected results:
The SAML assertion needs to be signed.

Additional info:
Fixing this requires a java keystore shared between the authentication provider creating the saml assertion (e.g. s-ramp UI) and the authentication login module consuming/verifying the saml assertion (e.g. s-ramp-server).
Comment 2 Eric Wittmann 2013-10-29 09:36:58 EDT
The overlord apps now support digitally signing the SAML Assertions when performing SAML Bearer Token authentication.  This must be configured in both the clients (sramp-ui.properties, dtgov-ui.properties, gadget-server.properties, etc) and on the server (standalone.xml).

A java keystore must be created and populated with a keypair used to sign the saml assertions (client-side) and to verify the signature (server-side).

This has been documented in mojo to be referenced by interested/relevant parties.

Assigning to thauser to complete the prod installer changes.
Comment 3 Thomas Hauser 2014-01-15 16:39:10 EST
I believe I missed this one. This should definitely be present in any post beta build.
Comment 4 Thomas Hauser 2014-01-15 17:18:31 EST
I believe I missed this one. This should definitely be present in any post beta build.
Comment 5 Stefan Bunciak 2014-01-16 04:09:30 EST
Verified in FSW 6.0.0.CR1

Note You need to log in before you can comment on or make changes to this bug.