Hide Forgot
Description of problem: Currently the SAML assertion used as proof of identity when performing SAML Bearer Token authentication is not being digitally signed. Digital signatures are a necessary piece of authenticating in this way...without signatures this form of authentication is not secure. How reproducible: Always Steps to Reproduce: 1. Install dtgov/s-ramp/rtgov 2. Log in to any overlord UI 3. Perform any user action that requires server data :) Actual results: Behind the scenes SAML bearer token auth is used when invoking overlord REST services on behalf of the logged-in user. The SAML assertion used is not signed. Expected results: The SAML assertion needs to be signed. Additional info: Fixing this requires a java keystore shared between the authentication provider creating the saml assertion (e.g. s-ramp UI) and the authentication login module consuming/verifying the saml assertion (e.g. s-ramp-server).
The overlord apps now support digitally signing the SAML Assertions when performing SAML Bearer Token authentication. This must be configured in both the clients (sramp-ui.properties, dtgov-ui.properties, gadget-server.properties, etc) and on the server (standalone.xml). A java keystore must be created and populated with a keypair used to sign the saml assertions (client-side) and to verify the signature (server-side). This has been documented in mojo to be referenced by interested/relevant parties. Assigning to thauser to complete the prod installer changes.
I believe I missed this one. This should definitely be present in any post beta build.
Verified in FSW 6.0.0.CR1