Identity Server does not validate SAML LogoutRequest Signature

Question

I've got WSO2 IS running and a service provider that has SAML inbound authentication set up. I've enabled the "Enable Signature Validation in Authentication Requests and Logout Requests" checkbox for the SAMl service provider.

If I send an AuthnRequest that is not properly signed, it will error. However, if I send a LogoutRequest with no signature (or with a signature made from a completely different cert/key), it will log my user out without error. How can I enable actual signature validation WSO2 IS?

I'm running the latest WSO2 Docker Container. I believe that is IS 5.7.0 according to this startup logging:

Starting WSO2 Carbon... Operating System : Linux 4.9.93-linuxkit-aufs, amd64 Java Home : /home/wso2carbon/java/jre Java Version : 1.8.0_144 Java VM : Java HotSpot(TM) 64-Bit Server VM 25.144-b01,Oracle Corporation Carbon Home : /home/wso2carbon/wso2is-5.7.0 Java Temp Dir : /home/wso2carbon/wso2is-5.7.0/tmp

ashensw ashensw · Accepted Answer · 2018-11-28T05:53:53

Seems the signature validation [1] is skipping in the logout request due to an issue in the code. Please refer the git issue [2] to track this.

[1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/ee338982c1add8f75f1132a6b3bacb30cee7989b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java#L130
[2] https://github.com/wso2/product-is/issues/4048

Identity Server does not validate SAML LogoutRequest Signature

1 Answers