Red Hat Bugzilla – Bug 1017219
Add digital signatures to SAML assertions in Overlord SAML Bearer Token Auth
Last modified: 2015-11-02 03:07:15 EST
Description of problem:
Currently the SAML assertion used as proof of identity when performing SAML Bearer Token authentication is not being digitally signed. Digital signatures are a necessary piece of authenticating in this way...without signatures this form of authentication is not secure.
Steps to Reproduce:
1. Install dtgov/s-ramp/rtgov
2. Log in to any overlord UI
3. Perform any user action that requires server data :)
Behind the scenes SAML bearer token auth is used when invoking overlord REST services on behalf of the logged-in user. The SAML assertion used is not signed.
The SAML assertion needs to be signed.
Fixing this requires a java keystore shared between the authentication provider creating the saml assertion (e.g. s-ramp UI) and the authentication login module consuming/verifying the saml assertion (e.g. s-ramp-server).
The overlord apps now support digitally signing the SAML Assertions when performing SAML Bearer Token authentication. This must be configured in both the clients (sramp-ui.properties, dtgov-ui.properties, gadget-server.properties, etc) and on the server (standalone.xml).
A java keystore must be created and populated with a keypair used to sign the saml assertions (client-side) and to verify the signature (server-side).
This has been documented in mojo to be referenced by interested/relevant parties.
Assigning to thauser to complete the prod installer changes.
I believe I missed this one. This should definitely be present in any post beta build.
Verified in FSW 6.0.0.CR1