Bug 1295472 - Lasso 2.5.0 not working with SHA-256 ADFS
Lasso 2.5.0 not working with SHA-256 ADFS
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: lasso (Show other bugs)
7.2
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: John Dennis
Namita Soman
: Reopened
Depends On: 1310860 1404295
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-04 10:45 EST by Thiyagarajan K
Modified: 2018-01-01 20:19 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-15 11:25:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
adfsmetadatasha256 (30.70 KB, text/plain)
2017-03-30 09:35 EDT, Mark Prewitt
no flags Details

  None (edit)
Description Thiyagarajan K 2016-01-04 10:45:23 EST
Description of problem:
I have installed mod_auth_mellon using yum repository. While using ADFS IDP with SHA-256, it not working. As per lasso team, the 2.5.0 should work with SHA-256. 

Version-Release number of selected component (if applicable):
lasso-2.5.0-1.el7.i686.rpm
Red Hat Enterprise Linux Server release 7.2 (Maipo)
Comment 2 John Dennis 2016-01-04 14:44:58 EST
We need more detailed information besides "it not working".

Did this work with the prior version of both mod_auth_mellon and lasso?

What specifically is not working?

What SAML profile are you using?

What is the IdP and SP metadata?

Are there log messages in /var/log/http/error_log related to this problem? If so what are they?

If there are no log messages you may need to turn up the verbosity of the logging to the debug level. To do this edit /etc/httpd/conf/httpd.conf and change the LogLevel to debug and they restart your Apache server.
Comment 3 Thiyagarajan K 2016-01-05 00:48:22 EST
What specifically is not working? - SHA 256 (SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1  is the error)

IDP - ADFS
SP - Mod_auth_mellon

The Lasso 2.5.0 should accept SHA 256, but it still throws above mentioned error in the log. The previous version of Lasso (2.4.1) is not supported for SHA 256. 

Thank you.
Comment 4 John Dennis 2016-01-05 18:42:46 EST
I'm having trouble parsing comment #3. You say Lasso 2.5.0 should accept SHA 256 but that is not what the paragraph above implies. If I'm reading it correctly what is happening is mellon is signing the request with SHA 256 and the ADFS IdP is rejecting it because it wants rsa-sha1. Did I get that correct?

Part of the problem is both the SP and the IdP can sign messages and both have an opportunity to reject a signature, so far there isn't enough information in this bug report to disambiguate. 

Apparently the ASFS IdP is very fussy with what signatures it will accepts and defaults to rsa-sha1 (but this can be controlled with configuration options).

It would really help if you provided:

* The exact error message and where it came from (e.g. was the error message in the Apache log file or was it returned by the IdP?)

* The metadata you're using for both the SP and the IdP (as requested in comment #2).

If the above is not sufficient to diagnose the problem I may need you to capture the SAML exchange (in fact this would really help because it allows me to see the dialog between the SP and IdP). The easiest way to do this is with the Firefox SAML Tracer Add-On (https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/). Install the add-on into your Firefox browser and activate it. Then make your request that triggers SAML SSO. In the SAML Tracer window find the request and click on it, click on the SAML tab, you'll see the decoded SAML request, copy it and attach it to this bug report. Do the same for the SAML Response. If there is anything sensitive you don't want to expose in a public bug report you can email the information to me instead.
Comment 5 John Dennis 2016-01-25 12:26:11 EST
For me to make progress on this I need to see the SAML conversation between the SP and the IdP. Can you capture the SAML exchange and attach it to this bug report? Thank you.
Comment 6 Nathan Kinder 2016-02-16 17:57:25 EST
Is there any update on the request for information from comment#5?  We need this information to proceed on investigation of this issue.
Comment 7 John Dennis 2016-02-16 18:12:44 EST
No additional information has been supplied. The reason I need to see the protocol exchanges is because the algorithms are embedded in the cert and possibly in the metadata ds KeyInfo. Unless I can see these values I can't determine who in the process is complaining or why or for that matter reproduce it.

The original reporter believes it's a SHA-2 issue, which it may very well be but without seeing the data nor being able to reproduce it (given the data) it's tough to fix. In essence what I'm asking for is a reproducer.

"While using ADFS IDP with SHA-256, it not working" is not sufficient information to proceed.
Comment 9 Brett Gardner 2016-02-18 21:51:24 EST
This is most likely caused by a bug in the lasso package.

See https://dev.entrouvert.org/issues/10019

When you configure to generate a sha256 hash, it would always generate a sha1
Comment 10 John Dennis 2016-06-09 18:10:54 EDT
Fixed in upstream with commit 74e8705b which is part of 2.5.1 release.
Comment 11 John Dennis 2016-06-15 11:25:09 EDT

*** This bug has been marked as a duplicate of bug 1310860 ***
Comment 12 Mark Prewitt 2017-03-29 12:18:43 EDT
Hi,
 As far as I can tell, this bug is still open.
We are using Mod_mellon .12 which uses lasso 2.5.1 and when your adfs server is configured for SHA-256 as the signing for the SP trust, it fails to decrypt with the error in the logs that Thiyagu provided in comment #3 above. That text in the comment is what is IN the logs.
This appears to be a known bug in lasso, but we went to the lasso 10019 thread an pulled that patch released and appear to be generating the same error.

What information would you like to be able to understand the problem.
Teh gist is that the sp-idp trust is failing because the metadata exchange is failing because the signing algorithm (sha1 or sha256) are not matching, works fine if adfs is set to sha1, and we have tested with PING in sha-256 an that works, but adfs sha-256 throws the error in lasso that:

"SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 . Expected signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1"

The aDFS is configured with SHA256, yet Lasso is defaulting to sha1 and rejecting the IDP metadata signed with sha256, saying it wants Sha1.
in your comment 4 you were backwards on your assumption.
sorry for the long time in reply, thiyagu left our firm and we weren't aware he had started this thread until we were googling for help with this error.
Mark
Comment 13 John Dennis 2017-03-29 15:29:51 EDT
Are you are saying you cannot load the ADFS metadata into mellon because the ADFS metadata is signed with SHA256 and the signature verification is failing on the ADFS metadata? That implies you never even got to the point of exchanging SAML messages for authentication. Did I get that right?

Supplying the failing ADFS metadata would be a good step in allowing us to diagnose the problem.
Comment 14 Mark Prewitt 2017-03-29 16:24:02 EDT
That is correct. We cannot exchange saml because the trust won't establish because it can't decipher the metadata.
Comment 15 John Dennis 2017-03-29 16:27:09 EDT
Please supply the metadata. Thank you.
Comment 16 Mark Prewitt 2017-03-29 16:38:05 EDT
both sides? or one in particular?
and it may be tomorrow as I am buried in meetings the rest of today. 
sorry for the delay.. I have to rest a test site back to sha256 to do this..
Comment 17 John Dennis 2017-03-29 17:52:06 EDT
Since you claim it's the IdP metadata that is failing that would be the metadata we would need to reproduce the problem.

Signature validation requires access to the public key (i.e. cert) of the signer. Sometimes this is included in the document in the <KeyInfo><X509Certificate> element, but it is not mandatory in SAML. If the metadata does not contain the X509 cert then we'll need that as well (plus any other certs in the chain).
Comment 18 Mark Prewitt 2017-03-30 09:35 EDT
Created attachment 1267536 [details]
adfsmetadatasha256

Here is the adfs metadata setup for 256.
We tested with a build of mod mellon 13 and also 12, and using lasso.x86_64 2.5.1.
Thanks
Comment 20 jingruhuang 2017-05-02 13:51:07 EDT
Is there any further information about this error?  I encountered the same issue.  When ADF sets assertion signing with SHA1, it works...  But when ADF sets  assertion signing with SHA256, I get the same exact error.  My lasso package is the latest one lasso-devel-2.5.1-2.el7.x86_64 and lasso-2.5.1-2.el7.x86_64.  I even set the rpm macros file to ensure file digest with SHA256.  Is the bug resolved yet?
Comment 21 Davide 2017-07-06 10:05:07 EDT
Hello, any update about this issue? We have same problem with the following setup:

IDP -> ADFS (Windows 2012 R2)

SP -> mod_auth_mellon (CentOS 7.3 + Apache 2.4.6 + lasso-2.5.1-2)

If SHA1 is set on the IDP then everything works fine, however if SHA256 is selected an Event 364 is logged by ADFS that is

The message is not signed with expected signature algorithm. Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1. Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

Apache logs the following:

Error processing auth response. Lasso error: [-432] Status code is not success
Comment 23 John Dennis 2017-12-01 17:25:45 EST
Comment #21 seems to be the relevant information, the problem is not occurring on the Mellon/Lasso side, it's with the IdP (e.g. ADFS) Mellon is communicating with, or so I believe based on that message and what I've been able to Google concerning ADFS. I will also add this caveat in advance, I'm not familiar with ADFS or for that matter most Microsoft products, but I do know SAML. We currently have no evidence the updated Lasso package is not able to process received signatures with SHA-256, more to the point that does not seem to be the issue. Let me explain what I think is going on.

In SAML there are two parties, an SP (role played by Mellon) and an IdP (role played by ADFS). In SAML parlance the SP is a "relying party" because it "relies" on assertions provided by the IdP and the IdP is called the "asserting party".

Each party can sign their messages. How each party signs their messages is at the sole discretion of the party signing the message. When configuration information is exchanged by the parties (e.g. SAML metadata) they DO NOT specify the signature mechanism, the extent of the signature configuration information is limited to "I want signed messages", "I will sign messges" and if I'm signing here is the public key I will use. The digest algorithm is never part of this configuration information. The digest appears in the SIGNED MESSAGE once the message is received.

The signing properties of the SP (relying party) and the IdP (asserting party) are completely INDEPENDENT of one another.

The ADFS error in comment #21 is stating the SP (relying party) sent a signed AuthnRequest with a signature it did not like hence it's is rejecting it. This is NOT related to Mellon/Lasso being able to validate a signed message received from the IdP.

Apparently ADFS has a configuration option to set the expected (required) digest algorithm for EACH RELYING PARTY. Currently it accepts only 2 values, SHA-1 and SHA-256. This is NOT (or should not be) the configuration option for how ADFS signs it's messages sent to the relying parties. Or at least I don't believe so, this really a question to be answered by Microsoft, the key point is sending a signed message and receiving a signed message are 2 independent things (I don't know if Microsoft has conflated the two concepts or not, I could not find any definitive information in my searching).

Mellon is hardcoded to send it's messages signed with SHA-1. I believe the solution is to modify the relying party configuration in ADFS for your Mellon SP to be SHA-1 since that is what Mellon is sending. This tech article from Microsoft show the details of setting the relying party digest configuration.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-federation-sha256-guidance

If modifying this configuration option also changes how ADFS signs it's messages then that would seem to violate the principal each party is independent, there should be a separate setting controlling only how ADFS signs.

Many IdP's simply accept valid signature from their relying parties without forcing a specific digest, apparently ADFS wants to be EXPLICIT as to what digest the relying party will use. Once again this is a question for Microsoft. Also I want to reiterate this is independent of Mellon's ability to properly validate a signature received from ADFS using SHA-256.

I would be good if Mellon had a configuration option to set the signature method it uses, but that's an RFE not a bug. My suggestion is someone open a RFE bug requesting this feature.

It would be helpful if we could find explicit documentation on this part of ADFS behavior or have someone from Microsoft confirm whether the signature methods between the parties is independent or co-related. If this isn't in their public documentation somewhere then I suspect only an engineer is going to know this at this level of detail.
Comment 24 John Dennis 2017-12-08 16:17:23 EST
I have a patched build of mod_auth_mellon for RHEL7.4 which includes the ability to set the signature method used by mellon to sign it's requests. Previously it defaulted to rsa-sha1, now it defaults to rsa-sha256 but can also be explicitly set via the new MellonSignatureMethod configuration directive.

The hope and expectation is this should solve the problem when authenticating against ADFS when the ADFS provider signature algorithm set to SHA-256. With this fix ADFS should no longer complain and the authentication will be successful.

This has been successfully tested against RH-SSO, but we n

If you are affected by this bug contact Red Hat Global Support Services and request the test build.

Note You need to log in before you can comment on or make changes to this bug.