0 Replies Latest reply on Jan 18, 2012 3:14 PM by pcraveiro

    SPPostSignatureFormAuthenticator is not Validating Signatures

    pcraveiro

      Hi,

       

       

          It seems that  SPPostSignatureFormAuthenticator Valve is not checking signatures of SAML Assertions returned by the IDP because the value of the validateSignature property is always false. During the Valve startup only the supportSignatures is set to true.

       

          Is there some other way for enable signature validation by this Valve ?

       

          Here is a patch that I used to overcome this problem. Is this patch really needed ?

       

      Index: SPPostSignatureFormAuthenticator.java

      ===================================================================

      --- SPPostSignatureFormAuthenticator.java    (revision 1323)

      +++ SPPostSignatureFormAuthenticator.java    (working copy)

      @@ -69,7 +69,8 @@

          {

             super.start();

             this.supportSignatures = true;

      +     this.validateSignature = true;

      +     

             KeyProviderType keyProvider = this.spConfiguration.getKeyProvider();

             if (keyProvider == null)

                throw new LifecycleException(ErrorCodes.NULL_VALUE + "KeyProvider");

       

      Thanks,

      Pedro Igor