Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EVAKA-HOTFIX] Harden SAML configuration for replay attacks, audience confusion #788

Merged
merged 2 commits into from
May 4, 2021
Merged

[EVAKA-HOTFIX] Harden SAML configuration for replay attacks, audience confusion #788

merged 2 commits into from
May 4, 2021

Conversation

mikkopiu
Copy link
Contributor

@mikkopiu mikkopiu commented May 4, 2021

Summary

This is part 2 of the SAML configuration hardenings/fixes as reported by a white hat. SLO fixes are in progress in #738 and InResponseTo checking will follow later.

  • APIGW: Enable SAML audience checking
    • Audience checking for SAML responses is one way to prevent attackers from reusing e.g. login responses intended for another SP (from a trusted IdP) to log into eVaka
      • Without audience checking, eVaka would only check that the message came from a trusted IdP and would allow login/logout -> any user that can log in the IdP (AD mainly, in this case) can log into eVaka even if the IdP wouldn't permit it (e.g. missing AD role to access eVaka)
    • Add new configuration for "eVaka SAML" (i.e. Keycloak), EVAKA_SAML_ISSUER for use as the expected audience (same for Suomi.fi and AD but they already have equivalent configs exposed)
  • APIGW: Enable notOnOrAfter SAML validation
    • This limits replay attack feasibility by enabling the SAML notOnOrAfter checks in passport-saml meaning that responses are only valid as long as described by themselves in the aforementioned property
    • The value -1 for acceptedClockSkewMs disables this check completely, meaning that SAML responses can be replayed indefinitely (or at least while the certificates in them are valid)

Dependencies

@mikkopiu
APIGW: Enable notOnOrAfter SAML validation
ae89a6b 
- This limits replay attack feasibility by enabling the SAML `notOnOrAfter` checks in `passport-saml` meaning that responses are only valid as long as described by themselves in the aforementioned property
  - The value -1 for `acceptedClockSkewMs` disables this check completely, meaning that SAML responses can be replayed indefinitely (or at least while the certificates in them are valid)
@mikkopiu mikkopiu requested review from Gekkio and reynders May 4, 2021 09:15
@mikkopiu
APIGW: Enable SAML audience checking
176dca5 
- Audience checking for SAML responses is one way to prevent attackers from reusing e.g. login responses intended for another SP (from a trusted IdP) to log into eVaka
    - Without audience checking, eVaka would only check that the message came from a trusted IdP and would allow login/logout -> any user that can log in the IdP (AD mainly, in this case) can log into eVaka even if the IdP wouldn't permit it (e.g. missing AD role to access eVaka)
- Also sort SAML config attributes alphabetically for consistency
@mikkopiu mikkopiu force-pushed the fix/saml-config-hardening branch from d4c3852 to 176dca5 Compare May 4, 2021 09:54
@mikkopiu mikkopiu merged commit a6d3efd into master May 4, 2021
@mikkopiu mikkopiu deleted the fix/saml-config-hardening branch May 4, 2021 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-aleksi jan-aleksi jan-aleksi approved these changes

@Gekkio Gekkio Awaiting requested review from Gekkio

@reynders reynders Awaiting requested review from reynders

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mikkopiu @jan-aleksi