Skip to content

Add Issuer to failed SAML Signature validation logs when available #126310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Apr 8, 2025
Merged

Add Issuer to failed SAML Signature validation logs when available #126310

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
39fe357
Add Issuer to failed SAML Signature validation logs when available
richard-dennehy Apr 4, 2025
8d4d813
[CI] Auto commit changes from spotless
Apr 4, 2025
8533c8e
Fix tests
richard-dennehy Apr 4, 2025
f714d35
Update docs/changelog/126310.yaml
richard-dennehy Apr 4, 2025
312b2ab
Merge branch 'main' of github.com:elastic/elasticsearch into saml-iss…
richard-dennehy Apr 7, 2025
198cdf9
address review comments
richard-dennehy Apr 7, 2025
7de3149
replace String.format call
richard-dennehy Apr 7, 2025
f5ff8b1
update formatIssuer to describeIssuer
richard-dennehy Apr 7, 2025
301f6a0
[CI] Auto commit changes from spotless
Apr 7, 2025
fa9b48c
truncate long issuers in log messages
richard-dennehy Apr 7, 2025
16cb4b8
[CI] Auto commit changes from spotless
Apr 7, 2025
de44463
handle null issuer value
richard-dennehy Apr 7, 2025
42ebafc
address review comments
richard-dennehy Apr 7, 2025
474a79c
Merge branch 'main' into saml-issuer-in-warn-logs
richard-dennehy Apr 7, 2025
4893144
Merge branch 'main' into saml-issuer-in-warn-logs
richard-dennehy Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions docs/changelog/126310.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
pr: 126310
summary: Add Issuer to failed SAML Signature validation logs when available
area: Security
type: enhancement
issues:
- 111022
4 changes: 2 additions & 2 deletions ...security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ private SamlAttributes authenticateResponse(Element element, Collection<String>
}
final boolean requireSignedAssertions;
if (response.isSigned()) {
validateSignature(response.getSignature());
validateSignature(response.getSignature(), response.getIssuer());
requireSignedAssertions = false;
} else {
requireSignedAssertions = true;
Expand Down Expand Up @@ -199,7 +199,7 @@ private List<Attribute> processAssertion(Assertion assertion, boolean requireSig
}
// Do not further process unsigned Assertions
if (assertion.isSigned()) {
validateSignature(assertion.getSignature());
validateSignature(assertion.getSignature(), assertion.getIssuer());
} else if (requireSignature) {
throw samlException("Assertion [{}] is not signed, but a signature is required", assertion.getElementQName());
}
Expand Down
2 changes: 1 addition & 1 deletion ...y/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlLogoutRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ private Result parseLogout(LogoutRequest logoutRequest, boolean requireSignature
throw samlException("Logout request is not signed");
}
} else {
validateSignature(signature);
validateSignature(signature, logoutRequest.getIssuer());
}

checkIssuer(logoutRequest.getIssuer(), logoutRequest);
Expand Down
2 changes: 1 addition & 1 deletion .../src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlLogoutResponseHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ public void handle(boolean httpRedirect, String payload, Collection<String> allo
if (logoutResponse.getSignature() == null) {
throw samlException("LogoutResponse is not signed, but is required for HTTP-Post binding");
}
validateSignature(logoutResponse.getSignature());
validateSignature(logoutResponse.getSignature(), logoutResponse.getIssuer());
}
checkInResponseTo(logoutResponse, allowedSamlRequestIds);
checkStatus(logoutResponse.getStatus());
Expand Down
42 changes: 24 additions & 18 deletions ...security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlObjectHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,13 +161,13 @@ protected static String describe(Collection<X509Credential> credentials) {
return credentials.stream().map(credential -> describe(credential.getEntityCertificate())).collect(Collectors.joining(","));
}

void validateSignature(Signature signature) {
void validateSignature(Signature signature, Issuer issuer) {
final String signatureText = text(signature, 32);
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
try {
profileValidator.validate(signature);
} catch (SignatureException e) {
throw samlSignatureException(idp.getSigningCredentials(), signatureText, e);
throw samlSignatureException(issuer, idp.getSigningCredentials(), signatureText, e);
}

checkIdpSignature(credential -> {
Copy link
Contributor

@jfreden jfreden Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the warning in this method also include the issuer? https://github.com/elastic/elasticsearch/pull/126310/files#diff-19351c3f19f00d928645d11a61ef3c3dea10982b13f8f7ed47773c18d034b33dR203

And maybe here too: https://github.com/elastic/elasticsearch/pull/126310/files#diff-19351c3f19f00d928645d11a61ef3c3dea10982b13f8f7ed47773c18d034b33dL234

Expand Down Expand Up @@ -207,14 +207,14 @@ void validateSignature(Signature signature) {
} catch (PrivilegedActionException e) {
throw new SecurityException("SecurityException while attempting to validate SAML signature", e);
}
}, signatureText);
}, signatureText, issuer);
}

/**
* Tests whether the provided function returns {@code true} for any of the IdP's signing credentials.
* @throws ElasticsearchSecurityException - A SAML exception if not matching credential is found.
* @throws ElasticsearchSecurityException - A SAML exception if no matching credential is found.
*/
protected void checkIdpSignature(CheckedFunction<Credential, Boolean, Exception> check, String signatureText) {
protected void checkIdpSignature(CheckedFunction<Credential, Boolean, Exception> check, String signatureText, Issuer issuer) {
final Predicate<Credential> predicate = credential -> {
try {
return check.apply(credential);
Expand All @@ -237,29 +237,35 @@ protected void checkIdpSignature(CheckedFunction<Credential, Boolean, Exception>
};
final List<Credential> credentials = idp.getSigningCredentials();
if (credentials.stream().anyMatch(predicate) == false) {
throw samlSignatureException(credentials, signatureText);
throw samlSignatureException(issuer, credentials, signatureText);
}
}

/**
* Constructs a SAML specific exception with a consistent message regarding SAML Signature validation failures
*/
private ElasticsearchSecurityException samlSignatureException(List<Credential> credentials, String signature, Exception cause) {
private ElasticsearchSecurityException samlSignatureException(
Issuer issuer,
List<Credential> credentials,
String signature,
Exception cause
) {
final String issuerValue = issuer != null ? issuer.getValue() : "";
logger.warn(
"The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAML"
+ "metadata file/URL for this Identity Provider"
"The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAML "
+ "metadata file/URL for this Identity Provider {}",
Copy link
Contributor

@jfreden jfreden Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: A convention for logging is:

If the log message includes values from your code then you must use placeholders rather than constructing the string yourself using simple concatenation. Consider wrapping the values in [...] to help distinguish them from the static part of the message.

Can you add that around issuerValue (maybe at the null check?)?

issuerValue
);
final String msg = "SAML Signature [{}] could not be validated against [{}]";
return samlException(msg, cause, signature, describeCredentials(credentials));
if (cause != null) {
return samlException(msg, cause, signature, describeCredentials(credentials));
} else {
return samlException(msg, signature, describeCredentials(credentials));
}
}

private ElasticsearchSecurityException samlSignatureException(List<Credential> credentials, String signature) {
logger.warn(
"The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAML"
+ "metadata file/URL for this Identity Provider"
);
final String msg = "SAML Signature [{}] could not be validated against [{}]";
return samlException(msg, signature, describeCredentials(credentials));
private ElasticsearchSecurityException samlSignatureException(Issuer issuer, List<Credential> credentials, String signature) {
return samlSignatureException(issuer, credentials, signature, null);
Copy link
Contributor Author

@richard-dennehy richard-dennehy Apr 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove duplication (since I need to edit the exact same log message twice)

Copy link
Contributor

@jfreden jfreden Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

}

private static String describeCredentials(List<Credential> credentials) {
Expand Down Expand Up @@ -423,7 +429,7 @@ private void validateSignature(String inputString, String signatureAlgorithm, St
);
return false;
}
}, signatureText);
}, signatureText, null);
Copy link
Contributor Author

@richard-dennehy richard-dennehy Apr 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the context of this is SAML Logout with a query string; the message gets parsed into a SAML document after the signature has been verified, so I'm not sure it's possible to pass an Issuer here

Copy link
Contributor

@jfreden jfreden Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I agree. We could change the order of things here so the issuer is parsed from the message before throwing the error, but if that parsing fails, it ends up causing more confusion than help so I think it makes sense to leave it as it.

}

protected byte[] decodeBase64(String content) {
Expand Down
90 changes: 68 additions & 22 deletions ...ity/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,9 @@ public class SamlAuthenticatorTests extends SamlResponseHandlerTests {
+ "Attributes with a name clash may prevent authentication or interfere will role mapping. "
+ "Change your IdP configuration to use a different attribute *"
+ " that will not clash with any of [*]";
private static final String SIGNATURE_VALIDATION_FAILED_LOG_MESSAGE = "The XML Signature of this SAML message cannot be validated. "
+ "Please verify that the saml realm uses the correct SAML metadata file/URL for this Identity Provider "
+ "https://idp.saml.elastic.test/";

private SamlAuthenticator authenticator;

Expand Down Expand Up @@ -741,16 +744,29 @@ public void testIncorrectSigningKeyIsRejected() throws Exception {
// check that the content is valid when signed by the correct key-pair
assertThat(authenticator.authenticate(token(signer.transform(xml, idpSigningCertificatePair))), notNullValue());

// check is rejected when signed by a different key-pair
final Tuple<X509Certificate, PrivateKey> wrongKey = readKeyPair("RSA_4096_updated");
final ElasticsearchSecurityException exception = expectThrows(
ElasticsearchSecurityException.class,
() -> authenticator.authenticate(token(signer.transform(xml, wrongKey)))
);
assertThat(exception.getMessage(), containsString("SAML Signature"));
assertThat(exception.getMessage(), containsString("could not be validated"));
assertThat(exception.getCause(), nullValue());
assertThat(SamlUtils.isSamlException(exception), is(true));
try (var mockLog = MockLog.capture(authenticator.getClass())) {
Copy link
Contributor Author

@richard-dennehy richard-dennehy Apr 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update existing tests to check for log message

Copy link
Contributor

@jfreden jfreden Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

mockLog.addExpectation(
new MockLog.SeenEventExpectation(
"Invalid Signature",
authenticator.getClass().getName(),
Level.WARN,
SIGNATURE_VALIDATION_FAILED_LOG_MESSAGE
)
);

// check is rejected when signed by a different key-pair
final Tuple<X509Certificate, PrivateKey> wrongKey = readKeyPair("RSA_4096_updated");
final ElasticsearchSecurityException exception = expectThrows(
ElasticsearchSecurityException.class,
() -> authenticator.authenticate(token(signer.transform(xml, wrongKey)))
);
assertThat(exception.getMessage(), containsString("SAML Signature"));
assertThat(exception.getMessage(), containsString("could not be validated"));
assertThat(exception.getCause(), nullValue());
assertThat(SamlUtils.isSamlException(exception), is(true));

mockLog.assertAllExpectationsMatched();
}
}

public void testSigningKeyIsReloadedForEachRequest() throws Exception {
Expand Down Expand Up @@ -1301,24 +1317,54 @@ public void testFailureWhenIdPCredentialsAreEmpty() throws Exception {
authenticator = buildAuthenticator(() -> emptyList(), emptyList());
final String xml = getSimpleResponseAsString(clock.instant());
final SamlToken token = token(signResponse(xml));
final ElasticsearchSecurityException exception = expectSamlException(() -> authenticator.authenticate(token));
assertThat(exception.getCause(), nullValue());
assertThat(exception.getMessage(), containsString("SAML Signature"));
assertThat(exception.getMessage(), containsString("could not be validated"));
// Restore the authenticator with credentials for the rest of the test cases
authenticator = buildAuthenticator(() -> buildOpenSamlCredential(idpSigningCertificatePair), emptyList());

try (var mockLog = MockLog.capture(authenticator.getClass())) {
mockLog.addExpectation(
new MockLog.SeenEventExpectation(
"Invalid signature",
authenticator.getClass().getName(),
Level.WARN,
SIGNATURE_VALIDATION_FAILED_LOG_MESSAGE
)
);

final ElasticsearchSecurityException exception = expectSamlException(() -> authenticator.authenticate(token));
assertThat(exception.getCause(), nullValue());
assertThat(exception.getMessage(), containsString("SAML Signature"));
assertThat(exception.getMessage(), containsString("could not be validated"));

mockLog.awaitAllExpectationsMatched();
} finally {
// Restore the authenticator with credentials for the rest of the test cases
authenticator = buildAuthenticator(() -> buildOpenSamlCredential(idpSigningCertificatePair), emptyList());
}
}

public void testFailureWhenIdPCredentialsAreNull() throws Exception {
authenticator = buildAuthenticator(() -> singletonList(null), emptyList());
final String xml = getSimpleResponseAsString(clock.instant());
final SamlToken token = token(signResponse(xml));
final ElasticsearchSecurityException exception = expectSamlException(() -> authenticator.authenticate(token));
assertThat(exception.getCause(), nullValue());
assertThat(exception.getMessage(), containsString("SAML Signature"));
assertThat(exception.getMessage(), containsString("could not be validated"));
// Restore the authenticator with credentials for the rest of the test cases
authenticator = buildAuthenticator(() -> buildOpenSamlCredential(idpSigningCertificatePair), emptyList());

try (var mockLog = MockLog.capture(authenticator.getClass())) {
mockLog.addExpectation(
new MockLog.SeenEventExpectation(
"Invalid signature",
authenticator.getClass().getName(),
Level.WARN,
SIGNATURE_VALIDATION_FAILED_LOG_MESSAGE
)
);

final ElasticsearchSecurityException exception = expectSamlException(() -> authenticator.authenticate(token));
assertThat(exception.getCause(), nullValue());
assertThat(exception.getMessage(), containsString("SAML Signature"));
assertThat(exception.getMessage(), containsString("could not be validated"));

mockLog.awaitAllExpectationsMatched();
} finally {
// Restore the authenticator with credentials for the rest of the test cases
authenticator = buildAuthenticator(() -> buildOpenSamlCredential(idpSigningCertificatePair), emptyList());
}
}

private interface CryptoTransform {
Expand Down
Loading