How to prevent ACS URL spoof in a Authnrequest

Document ID : KB000012530
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Defending against authnrequest AssertionConsumerServiceURL manipulation.

Question:

Is it possible to insert a different Assertion Consumer Service URL into the SP authnrequest?  Can this be prevented?

Answer:

While the use of the https protocol generally prevents tampering with an authnrequest between when it is created and when it is submitted to the IDP, CA SSO (Siteminder) contains checks that will prevent clients from posting an assertion to an unapproved Assertion Consumer Service URL (ACS URL).

If AssertionConsumerServiceURL is sent within a SAMLRequest (AuthnRequest) and for Siteminder FWS (Federated Web Services) to accept it and process it, there is a Flag "Accept ACS URL in the Authnrequest" that needs to be enabled that will instruct FWS to look for the AssertionConsumerServiceURL within a SAMLRequest and validate the value before it can be processed.

The "Accept ACS URL in the Authnrequest" can be found in the Siteminder IDP partnership under the "SSO and SLO" tab.

 

"Accept ACS URL in the Authnrequest"  Flag is unset (OFF):

When "Accept ACS URL in the Authnrequest" is not set, Siteminder will ignore the AssertionConsumerServiceURL sent in the SAMLRequest and will use the Default ACS URL configured in the Partnership.

 

"Accept ACS URL in the Authnrequest"  Flag is Set (ON):

When "Accept ACS URL in the Authnrequest" is set, Siteminder will look for AssertionConsumerServiceURL in the SAMLRequest.

If found, Siteminder will compare the value of the AssertionConsumerServiceURL from the SAMLRequest to the ACS URLs defined in the Partnership.

If there is a match, the AssertionConsumerServiceURL from the SAMLRequest will be used.  If there is no match to any of the ACS URLs defined in the Partnership, the request will be rejected with an http 403 Error.

 

Something that should be clear is that regardless of how this flag is set, Siteminder will under no conditions allow an assertion to be posted to any ACS URL that is not specified in the Partnership.  Enabling this flag merely allows an SP to choose which of the configured ACS URLs to use when multiple ACS URLs are configured in the Partnership.

 

Below are some use case scenarios and expected results: 

 

** Scenario 1 --> "Accept ACS URL in the Authnrequest"  Flag is unset (OFF)

* Option 1 

1) Authnreqest (SAMLRequest) contains AssertionConsumerServiceURL 

<?xml version="1.0" encoding="UTF-8"?>

<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

AssertionConsumerServiceURL="http://assertionConsumerURL"

Destination="https://yourIDPserver/affwebservices/public/saml2sso" 

ID="_3b7b86ab469e8775e355ccf06681f578e293" 

IssueInstant="2017-01-09T20:42:58Z" 

Version="2.0">

   <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">spid</ns1:Issuer>

</AuthnRequest>

 

2) FWS will ignore the AssertionConsumerServiceURL sent within the SAMLRequest and the default ACS configured within Siteminder IDP Partnership will be used.

 

* Option 2

1) Authnreqest (SAMLRequest) does not contain AssertionConsumerServiceURL 

<?xml version="1.0" encoding="UTF-8"?>

<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 

Destination="https://yourIDPserver/affwebservices/public/saml2sso" 

ID="_3b7b86ab469e8775e355ccf06681f578e293" 

IssueInstant="2017-01-09T20:42:58Z" 

Version="2.0">

   <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">spid</ns1:Issuer>

</AuthnRequest>

 

2) FWS will use default ACS URL configured within Siteminder IDP Partnership.

 

** Scenario 2 --> "Accept ACS URL in the Authnrequest"  Flag is set (ON)

* Option 1 

1) Authnreqest (SAMLRequest) contains AssertionConsumerServiceURL that does not match the ACS URL configured within the Siteminder IDP Partnership:

<?xml version="1.0" encoding="UTF-8"?>

<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

AssertionConsumerServiceURL="http://assertionConsumerURL"

Destination="https://yourIDPserver/affwebservices/public/saml2sso" 

ID="_3b7b86ab469e8775e355ccf06681f578e293" 

IssueInstant="2017-01-09T20:42:58Z" 

Version="2.0">

   <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">spid</ns1:Issuer>

</AuthnRequest>

 

2) FWS will read the AssertionConsumerServiceURL sent within the SAMLRequest and perform a string compare to the configured ACS within Siteminder IDP Partnership.

3) Since there is no match, an http 403 (Forbidden) will be returned.

 

* Option 2

1) Authnreqest (SAMLRequest) contains AssertionConsumerServiceURL that does match the ACS URL configured within the Siteminder IDP Partnership:

<?xml version="1.0" encoding="UTF-8"?>

<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 

ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

AssertionConsumerServiceURL="http://assertionConsumerURL"

Destination="https://yourIDPserver/affwebservices/public/saml2sso" 

ID="_3b7b86ab469e8775e355ccf06681f578e293" 

IssueInstant="2017-01-09T20:42:58Z" 

Version="2.0">

   <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">spid</ns1:Issuer>

</AuthnRequest>

 

2) FWS will read the AssertionConsumerServiceURL sent within the SAMLRequest and perform a string compare to the configured ACS within Siteminder IDP Partnership.

3) Since the AssertionConsumerServiceURL value matches the configured ACS in the Partnership, FWS will accept the request and the AssertionConsumerServiceURL from the SAMLRequest will be used.

 

NOTE --> You can have multiple ACS URLs configured in the IDP Partnership.  FWS will perform a string compare of the AssertionConsumerServiceURL value to all the configured ACS URL.  If there is a match to one of the ACS URLs, The request will succeed, otherwise a 403 (forbidden) error will be returned.  

 

* Option 3 

1) Authnreqest (SAMLRequest) does not contain AssertionConsumerServiceURL:

<?xml version="1.0" encoding="UTF-8"?>

<AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 

Destination="https://yourIDPserver/affwebservices/public/saml2sso" 

ID="_3b7b86ab469e8775e355ccf06681f578e293" 

IssueInstant="2017-01-09T20:42:58Z" 

Version="2.0">

   <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">spid</ns1:Issuer>

</AuthnRequest>

 

2) FWS will look for AssertionConsumerServiceURL sent within the SAMLRequest. Since none is included, the default ACS URL configured within Siteminder IDP Partnership will be used