sources/saml: prevent authnrequest signature being inside body on redirect (#19898)

PeshekDotDev · web-flow · commit fd778b18adc6 · 2026-02-05T17:13:33.000-06:00
* fix for main

* fix for main

* fix processor and tests
diff --git a/authentik/providers/saml/tests/test_auth_n_request.py b/authentik/providers/saml/tests/test_auth_n_request.py
@@ -29,7 +29,7 @@
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.sources.saml.exceptions import MismatchedRequestID
-from authentik.sources.saml.models import SAMLSource
+from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
 from authentik.sources.saml.processors.request import SESSION_KEY_REQUEST_ID, RequestProcessor
 from authentik.sources.saml.processors.response import ResponseProcessor
 
@@ -104,6 +104,7 @@ def setUp(self):
             signing_kp=self.cert,
             verification_kp=self.cert,
             signed_assertion=True,
+            binding_type=SAMLBindingTypes.POST,
         )
 
     def test_signed_valid(self):
diff --git a/authentik/providers/saml/tests/test_schema.py b/authentik/providers/saml/tests/test_schema.py
@@ -12,7 +12,7 @@
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
-from authentik.sources.saml.models import SAMLSource
+from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
 from authentik.sources.saml.processors.request import RequestProcessor
 
 
@@ -35,6 +35,7 @@ def setUp(self):
             issuer="authentik",
             signing_kp=cert,
             pre_authentication_flow=create_test_flow(),
+            binding_type=SAMLBindingTypes.POST,
         )
         self.request_factory = RequestFactory()
 
diff --git a/authentik/sources/saml/processors/request.py b/authentik/sources/saml/processors/request.py
@@ -20,7 +20,7 @@
 from authentik.providers.saml.utils import get_random_id
 from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
 from authentik.providers.saml.utils.time import get_time_string
-from authentik.sources.saml.models import SAMLSource
+from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
 
 SESSION_KEY_REQUEST_ID = "authentik/sources/saml/request_id"
 
@@ -70,7 +70,7 @@ def get_auth_n(self) -> Element:
         # Create issuer object
         auth_n_request.append(self.get_issuer())
 
-        if self.source.signing_kp:
+        if self.source.signing_kp and self.source.binding_type != SAMLBindingTypes.REDIRECT:
             sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
                 self.source.signature_algorithm, xmlsec.constants.TransformRsaSha1
             )
@@ -91,7 +91,7 @@ def build_auth_n(self) -> str:
         (used for POST Bindings)"""
         auth_n_request = self.get_auth_n()
 
-        if self.source.signing_kp:
+        if self.source.signing_kp and self.source.binding_type != SAMLBindingTypes.REDIRECT:
             xmlsec.tree.add_ids(auth_n_request, ["ID"])
 
             ctx = xmlsec.SignatureContext()
