Skip to content

🔒 Security / Validate assertion Issuer against IdP entity_id#46

Open
Actalab wants to merge 2 commits into
mainfrom
security/validate-assertion-issuer
Open

🔒 Security / Validate assertion Issuer against IdP entity_id#46
Actalab wants to merge 2 commits into
mainfrom
security/validate-assertion-issuer

Conversation

@Actalab

@Actalab Actalab commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Contexte

Audit de sécurité du gateway — shark-up/cryptr-gateway#165, finding #13 (🟠) : Issuer de l'assertion jamais validé (IdP confusion).

L'Issuer de l'assertion était extrait mais jamais comparé à l'entity_id de l'IdP. La séparation entre IdP ne reposait que sur le fingerprint du certificat de signature — correcte quand la signature est exigée, critique dès qu'elle est relâchée.

Changement

  • SpConfig : nouveau champ :idp_entity_id, alimenté depuis IdpData.entity_id (l'entityID parsé du metadata IdP) dans build_sp_config/2.
  • Saml.validate_assertion/4 : nouvel argument optionnel expected_issuer + étape validate_issuer/2 qui rejette un mismatch avec {:error, :bad_issuer}.
  • SP.validate_assertion transmet sp.idp_entity_id.

Rétro-compatibilité

Quand l'issuer attendu est nil/vide, la vérification est ignorée → les appelants 3-arity existants et les tests ne sont pas affectés. Pour un IdP configuré via metadata, idp_entity_id est l'entityID du metadata et l'Issuer de l'assertion est validé contre lui (comportement SAML attendu).

⚠️ Vérification

Refs shark-up/cryptr-gateway#165

Actalab added 2 commits July 3, 2026 11:09
… #165 finding 13)

The assertion Issuer was extracted but never compared to the IdP's
entity_id, so IdP/identity confusion was possible — and critical whenever
assertion signature verification is relaxed.

- SpConfig: add :idp_entity_id, populated from IdpData.entity_id (the
  entityID parsed from the IdP metadata) in build_sp_config/2.
- Saml.validate_assertion/4: new optional expected_issuer arg + a
  validate_issuer/2 step that rejects a mismatch with {:error, :bad_issuer}.
  Backward compatible: when the expected issuer is nil/empty the check is
  skipped, so existing 3-arity callers are unaffected.
- SP.validate_assertion passes sp.idp_entity_id.

Refs shark-up/cryptr-gateway#165
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant