Solved: SAML AuthRequest assertions are not signed by the ISE

mtrojcza · ‎02-22-2018

Hello Experts,

My customer raised a question about SAML assertions signature. They confirmed that in their integration with Identity Federation the SAML AuthRequest is not signed by ISE:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL=" https://mydevices.example.com:8444/mydevicesportal/SSOLoginResponse.action"; ForceAuthn="false" ID="_94996df0-0a98-11e8-9ab8-380e4d172cf6_DELIMITERportalId_EQUALS94996df0-0a98-11e8-9ab8-380e4d172cf6_SEMIportalSessionId_EQUALSe8349759-d271-40dd-b6a7-9e9b77fe9d31_SEMI_DELIMITERmydevices.par.michelin.com" IsPassive="false" IssueInstant="2018-02-14T16:42:57.491Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" Cacher le texte cité > <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">http://CiscoISE/94996df0-0a98-11e8-9ab8-380e4d172cf6</samlp:Issuer> <saml2p:NameIDPolicy xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AllowCreate="false" /> <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" Cacher le texte cité > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml2p:RequestedAuthnContext> </samlp:AuthnRequest>

I haven't found any documentation on the matter. Could you please tell me if this is expected and if we can force the signature in any way?

Thanks,

Mateusz

hslai · ‎02-27-2018

Below is to re-iterate what we discussed:

At present, it's not configurable in ISE to sign SAML AuthRequest. Logout requests are the ones with the option to be signed in the SAML advanced settings.

3.1 HTTP Redirect Binding in SAML 2.0 - Wikipedia says

… In practice, all the data contained in a <samlp:AuthnRequest>, such as Issuer which contains the SP ID, and NameIDPolicy, has been agreed between IdP and SP beforehand (via manual information exchange or via SAML metadata). In that case signing the request is not a security constraint. ...

If needed, please go ahead and log an enhancement request.

View solution in original post

Nidhi · ‎02-22-2018

Reasearching

Nidhi · ‎02-23-2018

Have you checked these 2 documents -

ISE Design & Integration Guides

Lab Config Guide: ISE 2.1 with Ping Fed for Guest Web Auth & Sponsor Portal SAML SSO

meanwhile I have asked our SME to look into it .

Thanks,

Nidhi

mtrojcza · ‎02-23-2018

Hi Nidhi,

Thank you for looking into it. Yes, I have checked the docs you mentioned, but didn't find the level of details needed to answer these doubts...

I will be looking forward to hearing from the SME.

Thanks,

Mateusz

hslai · ‎02-27-2018

Below is to re-iterate what we discussed:

At present, it's not configurable in ISE to sign SAML AuthRequest. Logout requests are the ones with the option to be signed in the SAML advanced settings.

3.1 HTTP Redirect Binding in SAML 2.0 - Wikipedia says

… In practice, all the data contained in a <samlp:AuthnRequest>, such as Issuer which contains the SP ID, and NameIDPolicy, has been agreed between IdP and SP beforehand (via manual information exchange or via SAML metadata). In that case signing the request is not a security constraint. ...

If needed, please go ahead and log an enhancement request.

kaiychen · ‎09-08-2021

May we know is there any change/enhancement on this in latest ISE 3.0 or 3.1 ?

We are doing ISE SAML integration and encounters the same problem.

Thanks for the comments.

Greg Gibbs · ‎09-08-2021

There is still no configuration option for this in ISE 3.0/3.1 and I was not able to find any enhancement request filed related to this.

The customer can use the Make a Wish feature to request this or you can reach out to the PM team internally via cs.co/ise-pm.