-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIX] SAML assertion signature enforcement #17278
Conversation
Thanks for the fast PR ! |
I'm also recommending rocketchat to others for various reasons. However, since the first fix seems to be the result of a private messaged vulnerability, I'm a bit shocked about the communication. I'm happy with your work and try to favor Rocket.Chat over alternative solutions. Yet, security and privacy are part of the reasons to choose Rocket.Chat. |
I've mentioned your concerns to the team and started a discussion about it. I'll keep you updated. |
Just had this blow up on my too, glad to see the pull request accepted, but hope it's released very soon as all our user accounts are SAML based. |
Resolved this by signing the response as our assertions were signed already. Apparently the assertions were not enough. |
Hi @Exordian |
…mailer * 'develop' of github.com:RocketChat/Rocket.Chat: (93 commits) [FIX] Red color error outline is not removed after password update (#16536) [FIX] Change wording to start DM from info panel (#8799) New hooks for RouterContext (#17305) [FIX] SAML assertion signature enforcement (#17278) [FIX] LDAP users lose session on refresh (#17302) [NEW] Add MMS support to Voxtelesys (#17217) [FIX] Popover component doesn't have scroll (#17198) [FIX] Omnichannel SMS / WhatsApp integration errors due to missing location data (#17288) [FIX] User search on directory not working correctly (#17299) [FIX] Can not save Unread Tray Icon Alert user preference (#16288) (#16313) [FIX] Variable rendering problem on Import recent history page (#15997) [FIX] Admin panel custom sounds, multiple sound playback fix and added single play/pause button (#16215) [FIX] Discussions created from inside DMs were not working (#17282) [FIX] translation for nl (#16742) [FIX] No maxlength defined for custom user status (#16534) [FIX] Directory users email sort button (#16606) [FIX] In Create a New Channel, input should be focused on channel name instead of invite users (#16405) [FIX] Email not verified message (#16236) [FIX] Directory default tab (#17283) Update ru.i18n.json (#16869) ...
…users_and_rooms * 'develop' of github.com:RocketChat/Rocket.Chat: [FIX] "Invalid Invite" message when registration is disabled (#17226) [FIX] Red color error outline is not removed after password update (#16536) [FIX] Change wording to start DM from info panel (#8799) New hooks for RouterContext (#17305) [FIX] SAML assertion signature enforcement (#17278) [FIX] LDAP users lose session on refresh (#17302) [NEW] Add MMS support to Voxtelesys (#17217) [FIX] Popover component doesn't have scroll (#17198)
…dm/mailer * 'adm/mailer' of github.com:RocketChat/Rocket.Chat: (79 commits) removed unecessary prop Fixed sendMail function Removed Log, Success message Permissions added route component [FIX] "Invalid Invite" message when registration is disabled (#17226) Added route, error handling. [FIX] Red color error outline is not removed after password update (#16536) [FIX] Change wording to start DM from info panel (#8799) New hooks for RouterContext (#17305) [FIX] SAML assertion signature enforcement (#17278) [FIX] LDAP users lose session on refresh (#17302) [NEW] Add MMS support to Voxtelesys (#17217) [FIX] Popover component doesn't have scroll (#17198) [FIX] Omnichannel SMS / WhatsApp integration errors due to missing location data (#17288) [FIX] User search on directory not working correctly (#17299) [FIX] Can not save Unread Tray Icon Alert user preference (#16288) (#16313) [FIX] Variable rendering problem on Import recent history page (#15997) [FIX] Admin panel custom sounds, multiple sound playback fix and added single play/pause button (#16215) [FIX] Discussions created from inside DMs were not working (#17282) ...
…nto view-logs * 'develop' of https://github.com/RocketChat/Rocket.Chat: (31 commits) Fixed componentes width (#17322) [IMPROVE] Administration -> Mailer Rewrite to React. (#17191) Regression: Storybook added flowrouter group mock (#17321) [NEW] Feature/custom oauth mail field and interpolation for mapped fields (#15690) [FIX] "Invalid Invite" message when registration is disabled (#17226) [FIX] Red color error outline is not removed after password update (#16536) [FIX] Change wording to start DM from info panel (#8799) New hooks for RouterContext (#17305) [FIX] SAML assertion signature enforcement (#17278) [FIX] LDAP users lose session on refresh (#17302) [NEW] Add MMS support to Voxtelesys (#17217) [FIX] Popover component doesn't have scroll (#17198) [FIX] Omnichannel SMS / WhatsApp integration errors due to missing location data (#17288) [FIX] User search on directory not working correctly (#17299) [FIX] Can not save Unread Tray Icon Alert user preference (#16288) (#16313) [FIX] Variable rendering problem on Import recent history page (#15997) [FIX] Admin panel custom sounds, multiple sound playback fix and added single play/pause button (#16215) [FIX] Discussions created from inside DMs were not working (#17282) [FIX] translation for nl (#16742) [FIX] No maxlength defined for custom user status (#16534) ...
Closes #17277
PR #16922 improved the security of our SAML implementation after some possible vulnerabilities were reported, but in the process it also broke compatibility with IdPs that don't sign assertions.
This PR adds a new setting to determine which signatures need to be validated. It defaults to both Response's and Assertion's, but a migration changes all existing instances to default to either one.