APIGW: Enable SAML audience checking

- Audience checking for SAML responses is one way to prevent attackers from reusing e.g. login responses intended for another SP (from a trusted IdP) to log into eVaka
    - Without audience checking, eVaka would only check that the message came from a trusted IdP and would allow login/logout -> any user that can log in the IdP (AD mainly, in this case) can log into eVaka even if the IdP wouldn't permit it (e.g. missing AD role to access eVaka)
- Also sort SAML config attributes alphabetically for consistency

Author: mikkopiu

apigw/src/shared/auth/ad-saml.ts

@@ -101,20 +101,19 @@ export default function createAdStrategy(): SamlStrategy | DevPassportStrategy {
     if (!adConfig) throw Error('Missing AD SAML configuration')
     return new SamlStrategy(
       {
+        acceptedClockSkewMs: 0,
+        audience: adConfig.issuer,
         callbackUrl: adConfig.callbackUrl,
-        entryPoint: adConfig.entryPointUrl,
-        logoutUrl: adConfig.logoutUrl,
-        issuer: adConfig.issuer,
         cert: adConfig.publicCert.map(
           (certificateName) => certificates[certificateName]
         ),
-        privateCert: readFileSync(adConfig.privateCert, {
-          encoding: 'utf8'
-        }),
-        identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
         disableRequestedAuthnContext: true,
-        signatureAlgorithm: 'sha256',
-        acceptedClockSkewMs: 0
+        entryPoint: adConfig.entryPointUrl,
+        identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+        issuer: adConfig.issuer,
+        logoutUrl: adConfig.logoutUrl,
+        privateCert: readFileSync(adConfig.privateCert, { encoding: 'utf8' }),
+        signatureAlgorithm: 'sha256'
       },
       (profile: Profile, done: VerifiedCallback) => {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any

apigw/src/shared/auth/keycloak-saml.ts

@@ -22,15 +22,16 @@ export default function createKeycloakSamlStrategy(): SamlStrategy {
   })
   return new SamlStrategy(
     {
-      issuer: 'evaka',
-      callbackUrl: evakaSamlConfig.callbackUrl,
-      entryPoint: evakaSamlConfig.entryPoint,
-      logoutUrl: evakaSamlConfig.entryPoint,
       acceptedClockSkewMs: 0,
+      audience: evakaSamlConfig.issuer,
+      callbackUrl: evakaSamlConfig.callbackUrl,
       cert: publicCert,
-      privateCert: privateCert,
       decryptionPvk: privateCert,
+      entryPoint: evakaSamlConfig.entryPoint,
       identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+      issuer: 'evaka',
+      logoutUrl: evakaSamlConfig.entryPoint,
+      privateCert: privateCert,
       signatureAlgorithm: 'sha256'
     },
     (profile: Profile, done: VerifiedCallback) => {

apigw/src/shared/auth/suomi-fi-saml.ts

@@ -66,19 +66,20 @@ export default function createSuomiFiStrategy(): Strategy | DummyStrategy {
     })
     return new Strategy(
       {
+        acceptedClockSkewMs: 0,
+        audience: sfiConfig.issuer,
         callbackUrl: sfiConfig.callbackUrl,
-        entryPoint: sfiConfig.entryPoint,
-        logoutUrl: sfiConfig.logoutUrl,
-        issuer: sfiConfig.issuer,
         cert: sfiConfig.publicCert.map(
           (certificateName) => certificates[certificateName]
         ),
-        privateCert: privateCert,
         decryptionPvk: privateCert,
-        identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
         disableRequestedAuthnContext: true,
-        signatureAlgorithm: 'sha256',
-        acceptedClockSkewMs: 0
+        entryPoint: sfiConfig.entryPoint,
+        identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+        issuer: sfiConfig.issuer,
+        logoutUrl: sfiConfig.logoutUrl,
+        privateCert: privateCert,
+        signatureAlgorithm: 'sha256'
       },
       (profile: Profile, done: VerifiedCallback) => {
         // eslint-disable-next-line @typescript-eslint/no-explicit-any

apigw/src/shared/config.ts

@@ -193,6 +193,13 @@ export const evakaSamlConfig = evakaCallbackUrl
             'http://localhost:8080/auth/realms/evaka/protocol/saml'
           )
       ),
+      issuer: required(
+        process.env.EVAKA_SAML_ISSUER ??
+          ifNodeEnv(
+            ['local', 'test'],
+            'http://localhost:8080/auth/realms/evaka'
+          )
+      ),
       publicCert: required(
         process.env.EVAKA_SAML_PUBLIC_CERT ??
           ifNodeEnv(['local', 'test'], 'config/test-cert/keycloak-local.pem')