Multiple SAML signatures in authentication response
After a migration to 2.0, I notice that our SAML authn responses now have 2 signatures, for example:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_39AFA0A0E55174DB8DBE5F5E5FB82EDE"
InResponseTo="_WlAaKyUXroWlTtpL"
Version="2.0"
IssueInstant="2020-01-09T13:27:15Z"
Destination="xxxx"
>
<saml:Issuer>xxxx</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_39AFA0A0E55174DB8DBE5F5E5FB82EDE">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>jGKGtk/crirq2qgQLhaP7YUQoMw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XavE9YWAdC94nIaCF0tr5nXVt3yDPzdef/7SucI7sFE1NtSjKol/L7n0zvipCCZW
33GB/Zyd0sptgxIOpzka/4kkIulS6RkoGYgnff3wDnJcOAsitoAPaZU1CZ/7dXOI
doaQoRtdjJgfH8razX8vWxhqZdaMqOgcTnAME+Hc09GtCN+Cwh4JQFDybiAGajG0
80XatOaqouD0Xj9RC4LRqjcjubdd/MOerfpWhncw+DnnFE41VJUXIAfd0vhUH3Ot
HA5FB/uufHhSqEazzTm0pIgr3RkZkdvNYE5PO42TRgbcH4KRsSx2LIHILScJfLOl
YueWwBpO6tPPMePkV9TOhhJa2tK9uXTZTpkLeAJMQIRTTHQO556h+BqqKqh0MQny
rs1WxyLka6EifBu54fgmbKiEqvvw6GXi76/s2oNLhUv2ThopTO7IFxTfpPeayEyA
QmrbvL6Lwg6sokn/Q72/GWxNJCiPNfk95WFX9s8qcnGVgEO5VkwW0MO9Cci9pNNe
l9YImFLMTDBbKZPOiQTA4b2bq6IaYpfta7BDyBl912wLabYt1Olq8xp4EvuEfY/2
hONRLAXvaqkWwIHXAtZx4dT+mRcqbcvT49nzclDjcrWFJPCfOLF0Jvmdtmqt5nDp
XKm5uGazaFXbLO1FvH9pHkS+W3WrMYTcjacripUYiLA=</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
nvq7kJ8bFXdTvnSJcJ0ci08uz+UuAFb9CkZPrAbLFS/7k73usQjBx0g5fLZlVkvn
+CAiaJhl/NTLh1P9NknKOK8nXDSMmoxix0HslICW+3/rAtbZ50/ATCZ6owjyMNk1
4AyjzUUgPgtGO5yoF7Ev1GxZTVW4STtQRdyxoN96eZZDir9XASZdPxQ8gBavZ2ys
0C15qK/vseiIaMLYoz0Hsi33xP6zvP+Tpnl8ext9Ok7txribIRyjfed8/QLfVwNx
2n4Fqr3l05rojyXnJm2MliaMdvkKWadA7CKnGfC9xhcVd0UwbMyESoO8A5XwlMlt
eR1wKg0jD/jnt8ghd8yZUA03XxfQEjrvIABi+LYSTXJ2U3SKHW/qo+JG2YBg6Dni
Em/qSLv59SIeedOpY9Hbe6oMoSXwWIjr1sZSvXffxRki9kREy+38JhJ6qoAafT+m
SVPOjR1nxrcsxZifs1u5s9O6ZdLJtX7ijXktn9IywKhBTj/t2IpjJ6ypYxPt9bBT
9R0+8F4elILG5sCfMCfpOd7mYSIFswMbPKEtpFvyCfcSfKaFlMJLOtVoXARcDmBk
RwXkSzVVZojbGXGphRys8rUtWZ+eT4BwvRk4m3SI6YqMGCqAw9qtwElzF2Q5bzg9
nzWs8Vm+YlsZJH/xcRhP4ssiIeHdpuAts7pOLsDU5LE=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
ID="_747ABBF254269028B433C7B6E793C82E"
IssueInstant="2020-01-09T13:27:15Z"
>
<saml:Issuer>xxxx</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_747ABBF254269028B433C7B6E793C82E">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>aCaze1q5G200EDQUg9keMcF/EXs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NpLQIcvOCdInJTJAW0M+qOSfBJs+0mXoNewFxoF/7QJFhPnuMDAl/Q1Zo8Luhbmq
2COInhqWsHCi4QwYmf4+hi0SUw5FyTMTUgXdIuY9f7OZjJ0MJopQkvUhEb4UJ4kP
CNxuZSY0I8fXG4uqUYaKk59sHnusa/vHZhH9/how5Dakx5HNZd0rqeCXp/mvDcx8
djw83TAM8I9v6FcSugTWyH1nDKwp+bHMQjhUMaGixR/LJd3WPppoKLX0Brfw4D2m
miQZCkfN2SrMF3FU2RdE+ea9Vozed+t7oqlOw/d8Bx2Z1W4zYm8Si1mSvg/mBsPI
qipiT37ohK0UD3UnGRsOVxbaZhrR1QzySiCArR+O4c7pkH//9T3NjIub+2A31/W4
xUTtrjOrPXGSV/pIkbiNZYkiROAVlql0ATFeFYDACFDWArOUJLPIvCD/f09iiWDA
6vTlmk9uhrJtjkxAZNgPzvzbLStKmLrjRUnrirGmRO3t4JgWF7V/TJ4suAAZ7BwE
JFuifvpbSjk3Z+qD81AYNetuoOjgpoQWCJKBDCxcmcR5g27EDjvGk+46w6ynidBK
z2InaSfN9MP814oZp7xx20gU4QewMZC0Guyv71H+CAyhbx04VYLJkabCbYmW25Vx
oYlUl/yxQHCSeeJEwSpGIkATzPn5gX2mrR8OxuCP9dY=</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
nvq7kJ8bFXdTvnSJcJ0ci08uz+UuAFb9CkZPrAbLFS/7k73usQjBx0g5fLZlVkvn
+CAiaJhl/NTLh1P9NknKOK8nXDSMmoxix0HslICW+3/rAtbZ50/ATCZ6owjyMNk1
4AyjzUUgPgtGO5yoF7Ev1GxZTVW4STtQRdyxoN96eZZDir9XASZdPxQ8gBavZ2ys
0C15qK/vseiIaMLYoz0Hsi33xP6zvP+Tpnl8ext9Ok7txribIRyjfed8/QLfVwNx
2n4Fqr3l05rojyXnJm2MliaMdvkKWadA7CKnGfC9xhcVd0UwbMyESoO8A5XwlMlt
eR1wKg0jD/jnt8ghd8yZUA03XxfQEjrvIABi+LYSTXJ2U3SKHW/qo+JG2YBg6Dni
Em/qSLv59SIeedOpY9Hbe6oMoSXwWIjr1sZSvXffxRki9kREy+38JhJ6qoAafT+m
SVPOjR1nxrcsxZifs1u5s9O6ZdLJtX7ijXktn9IywKhBTj/t2IpjJ6ypYxPt9bBT
9R0+8F4elILG5sCfMCfpOd7mYSIFswMbPKEtpFvyCfcSfKaFlMJLOtVoXARcDmBk
RwXkSzVVZojbGXGphRys8rUtWZ+eT4BwvRk4m3SI6YqMGCqAw9qtwElzF2Q5bzg9
nzWs8Vm+YlsZJH/xcRhP4ssiIeHdpuAts7pOLsDU5LE=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2020-01-10T09:27:15Z"
Recipient="xxxx"
InResponseTo="_WlAaKyUXroWlTtpL"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-01-09T13:26:15Z"
NotOnOrAfter="2020-01-10T13:28:15Z"
>
<saml:AudienceRestriction>
<saml:Audience>xxxx</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-01-09T13:26:16Z"
SessionIndex="4f317d845fdcac41078ba09e4ae79c799850fa546c18b1710ab90307df5219ac"
SessionNotOnOrAfter="2020-01-10T09:26:16Z"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
There is one signature in the "reponse" level and another to the "assertion" level. We also see the "Issuer" markup is duplicated. Before 2.0, the signature was only in the "assertion" part.
I did not checked yet, but I am pretty sure this is valid. Anyway, some SAML SP do not like it, this is the cas of ArcGis for my case.
I tried to disable the signature for tests, and I noticed that the signature was still present in the SAML message, at "assertion" level, but no more at "response" level. This should not be the case as signature is disabled..., there should be no signature at all.
I don't know if this behavior is linked to Lasso or to our code.