Pivotal Knowledge Base

Follow

SHA Signature Support for SAML Requests in PAS Tile in PCF 2.0

Environment

  • Pivotal Cloud Foundry (PCF) 2.0
  • SSO for PCF

Symptom 

Pivotal Application Service (formerly Elastic Runtime Tile) has removed support for SHA1 as an acceptable SAML Signature Algorithm used to sign outbound SAML requests. Beginning in 2.0, customers using SHA1 will be migrated to SHA256 to provide better security for SAML requests. SAML Responses from the Identity Provider are not impacted by this change.

Resolution

You are not impacted if you meet any of the following criteria:

  1. You do not use SAML for Enterprise Authentication with the Elastic Runtime Tile or have any service plans using SAML with the Single Sign-On Service Tile.
  2. You are already using SHA256 or SHA512 for your SAML Signature Algorithm.
  3. Your Identity Provider does not perform validation of the SAML authentication request signature or accepts more secure protocols than the protocol configured.
    • Okta does not validate the signature of SAML authentication requests.
    • ADFS appears to accept SHA256 signed authentication requests when SHA1 is configured.
  4. You have previously disabled signing of the SAML authentication request on the ERT or SSO configurations and configured a working integration with your Identity Provider.
  5. You have configured your Identity Provider to dynamically check SAML metadata via an URL, and your Identity Provider dynamically adjusts its expected SAML signature algorithm for authentication requests based upon URL metadata. 

If you have not yet upgraded to PCF 2.0, you can follow the instructions below:

  1. Change your ERT configuration for SAML Signature Algorithm to SHA256 or higher.

    Screen_Shot_2017-12-29_at_2.20.45_PM.png
  2. Exchange SAML metadata with your Identity Provider. You can refer to applicable steps via one of the links below:
      • Refer to the ERT Guides specific to your Identity Provider:

                      http://docs.pivotal.io/pivotalcf/opsguide/auth-sso.html#configure-saml-for-pcf

      • Refer to the SSO Guide specific to your Identity Provider:

                      https://docs.pivotal.io/p-identity/index.html#sso

  3. Change your Identity Provider’s expected SAML signature algorithm to the SAML Signature Algorithm you are using for PAS (SHA256 or SHA512)
    • For ADFS, the option looks like below:
      Screen_Shot_2017-12-29_at_2.15.40_PM.png
    • For CA Siteminder, the option looks like below:Screen_Shot_2017-12-29_at_2.17.05_PM.png



If you have already upgraded to PCF 2.0, you can follow the instructions below:

Option 1 - Update your Identity Provider metadata:

  1. Exchange SAML metadata with your Identity Provider. You can refer to applicable steps via one of the links below:
     
      • Refer to the ERT Guides specific to your Identity Provider:

    http://docs.pivotal.io/pivotalcf/opsguide/auth-sso.html#configure-saml-for-pcf

      • Refer to the SSO Guide specific to your Identity Provider:

    https://docs.pivotal.io/p-identity/index.html#sso


  2. If your identity provider does not automatically begin accepting the new SHA256 signed authentication requests, move on to option 2. 

 

Option 2 - Manually change your Identity Provider’s expected signature algorithm

  1. Change your Identity Provider’s expected SAML signature algorithm to the SAML Signature Algorithm you are using for PAS (SHA256 or SHA512).
    • For ADFS, the option looks like below:
      Screen_Shot_2017-12-29_at_2.33.56_PM.png
    • For CA Siteminder, the option looks like below:
      Screen_Shot_2017-12-29_at_2.34.58_PM.png


Option 3 - Disable Signed Authentication Requests

  1. Disable signing of the requests coming from PAS and SSO.
    • For ERT, under Authentication and Enterprise SSO, under the SAML Identity Provider configurations, you can uncheck “Sign Authentication Requests”
      Screen_Shot_2017-12-29_at_2.39.39_PM.png

    • For SSO, within the Service Plan, you can navigate to the “Configure SAML Service Provider” section and turn off “Perform signed authentication requests”
      Screen_Shot_2017-12-29_at_2.43.04_PM.png
  2. If your Identity Provider is still attempting to validate the signature even though none is being sent, you can disable validation of signed authentication requests in your Identity Provider’s configurations.
    • For ADFS, this is managed through the `Set-AdfsRelyingPartyTrust -TargetName "<Relying Party Trust Name>" -SignedSamlRequestsRequired $false` command. You can view the current settings with `Get-AdfsRelyingPartyTrust -Name "<Relying Party Trust Name>"`
      Screen_Shot_2017-12-29_at_2.44.27_PM.png
    • For CA Siteminder, you can uncheck “Required Signed Authentication Requests” for the applicable partnership.Screen_Shot_2017-12-29_at_2.46.22_PM.png

Comments

Powered by Zendesk