Proposal: deprecate the SAML connector #1884
Replies: 9 comments 21 replies
-
(Converted this to a GitHub Discussion.) |
Beta Was this translation helpful? Give feedback.
-
Generally I agree, but I think SAML is still a popular connector. Maybe we could gather some information from the community (eg. with a quick survey?). |
Beta Was this translation helpful? Give feedback.
-
(Echoing my comments from the private advisory discussion.) I'm broadly in favor of deprecating the SAML connector, with some notes... Support policyThe SAML connector is one of our As a consumer, I'd have an expectation of a reasonable deprecation period and guidance on what/how I should migrate. AFAIK, we have no official deprecation policy and we should work on one before putting anything else into motion (I can take this item). Maintainer overhead/burdenAs a small set of maintainers, with several of us not having Dex as a primary focus at $dayjob, it's important that we recognize when certain things may not be working and move towards patterns that ease the maintenance burden. Even more so as a security-focused project, it's our responsibility to move quickly (but safely) on areas that are attack surfaces, especially if we are not equipped to effectively maintain them. AdoptersTo the points mentioned by @ericchiang, I'd be in favor of considering keeping the SAML connector around if we had SME adopters that are interested in becoming maintainers. Breaking up the "monolith"Corollary to ^^, something that we could do is split the connectors out into their own repos?
|
Beta Was this translation helpful? Give feedback.
-
What would be the advantage of doing that, apart from better access control? Generally, I'm strongly against "breaking up the monolith" without an obvious advantage, especially if the costs outweigh the benefits (which I believe is the case now, at least on the technical level). So there should be a pretty strong case presented in order for me to support this. Let's open a separate discussion. As for better access control: maybe we could do something with OWNER files? |
Beta Was this translation helpful? Give feedback.
-
One thing I'm worried about from the SAML side: despite fixes to github.com/russellhaering/goxmldsig dex was still vulnerable. As stated in the internal thread, I tried to structure the connector code so that if github.com/russellhaering/goxmldsig behaved correctly dex couldn't be vulnerable to these kind of issues. The fact that that assumption didn't hold worries me and should probably prompt an audit, if not rewrite. Combined with golang/go#43168, I think we should assume there're more vulnerabilities in this connector. |
Beta Was this translation helpful? Give feedback.
-
Just a FYI: I wrote a blog post about SAML: https://joonas.fi/2021/08/saml-is-insecure-by-design/ |
Beta Was this translation helpful? Give feedback.
-
I came across this discussion from the link on https://dexidp.io/docs/connectors/saml/ I really hope that SAML support can remain in Dex somehow. I'm in the unfortunate position of needing to use the AWS SSO service (which is regrettably SAML-only right now) for a number of things. Dex is the only simple OIDC IdP that I've found that can authenticate against a SAML IdP. I fully agree that OIDC is the future and that SAML is broken and horrible, but Dex is currently serving a really important purpose as a stepping stone to help people get from SAML to OIDC while the rest of the world catches up. It seems way better to have one application (Dex) that authenticates against a SAML IdP than the alternative. Separately from my interest as a user of Dex, I also maintain a SAML authentication module for the Drupal CMS, so I have some domain knowledge here. The PHP community has run into similar problems with xmlseclibs (roughly equivalent to goxmldsig). There are other places where xmlseclibs is used, but SAML libraries are by far the biggest consumer. This is by no means a problem that's specific to goxmldsig or even Go itself: XML signatures are just dumb and difficult to get right. Because of the inherent complexity, most of the environments that I've worked in have used something like SAML Raider and focused a lot of time and energy into figuring out ways to break their implementation (As an aside, there is a lot of good SAML security-related literature linked in the readme of that repo). I haven't yet seen a better way to improve SAML security other than by repeatedly breaking things and fixing them. I'd really love to see a comprehensive blackbox testing tool for SAML SPs that codifies all of the existing knowledge about how to break a particular SP into a test suite of some kind, but that seems like a pipe dream. In any case: if there's something I can do to help here, I'd be glad to spend some time on it. Just let me know what would be helpful! |
Beta Was this translation helpful? Give feedback.
-
Would love to help where we can, we have a well-maintained SAML service where we have wrapped the flow as an OAuth 2.0 flow and OIDC wrapper is coming soon. So integrating it with Dex should be straightforward. Our code is all in TypeScript though so the integration will have to be via a separate service rather than being inside of Dex. I agree with @cweagans, SAML security is ultimately continuous testing. We have fixed a lot of the issues mentioned in the thread earlier and continue to stay on top of it. We are also looking to plug in a schema validator which should take away a significant surface area of attack. OIDC is definitely the future but we are not quite there yet, SAML is still very popular and I do not see it going away immediately. Happy to discuss and collaborate further. |
Beta Was this translation helpful? Give feedback.
-
The XML digital signature standards are extremely (and I dare even say "stupidly") complex because of the number of options they have created or leave open, instead of having created a very strict subset of enforced conventions: that was definitely paving the way to overly complex implementations with plenty of weaknesses, bugs when not functional errors (like the signature verification vulnerability in go-lang libs), and has definitely fueled a waste of countless hours at solving compatibility issues, debugging, and so forth. Organizations like ETSI have indeed created official standards like "ETSI EN 319 132 XML Advanced Electronic Signatures (XAdES)" to streamline proper use and practices which are widely used, notably regarding the EU eIDAS qualified signature directives. So I understand that this field generates a lot of defiance (I share it), but I would advocate of not deprecating a still very important SAML DEX connector for many organizations on the basis that:
So I would recommend not to throw away the connector, and to maintain the SAML connector working as is in future DEX releases with definitely a proper accompanying note or state marking the defiance, about the risks and exposure to vulnerabilities found in the implementation stack at stake. Organization are indeed invited to consider security settings globally, and notably the strength of network security in place to ensure the integrity of the information exchanged between their systems. |
Beta Was this translation helpful? Give feedback.
-
@justaugustus @srenatus @sagikazarmark
Due to the nature of complex security issues in SAML, and lack of technical domain experts, I'd like to propose dex deprecate the SAML connector.
Is your feature request related to a problem?
This issue is to formalize internal discussion from GHSA-m9hp-7r99-94h5
Dex is inherently in a privileged position within an environment, and being able to bypass authentication is usually enough to access any resources that trust dex. SAML is unique from other connectors because of the complexity in the underlying technologies (https://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt). In addition modern IdPs also always support some form of OAuth2 or OIDC, which aren't perfect, but there's wide agreement in the Security community that these are significantly more robust than SAML.
Despite @jupenur awesome explanations, even I don't feel I fully understand exactly how dex was impacted, or how dex could have resolve the issue without checking the specific round-trip issues in the CVEs (57640cc). As discussed in golang/go#43168 Go's XML parser doesn't guarantee round-trip stability, so there are likely more vulnerabilities due to this, particularly since dex depends on both encoding/xml and github.com/beevik/etree to interpret XML. Broadly, it's extremely hard to reason about the security of this code without strong expertise.
Dex currently doesn't have a maintainer that's actively worked on the SAML connector. During the response to the CVEs GHSA-m9hp-7r99-94h5 it was discovered that dex was vulnerable to a different issue that had been public since September GHSA-q547-gmf8-8jr7.
UPDATE:
It's likely that dex has more issues with round trip serialization that aren't covered by the current report #1884 (comment). We should assume it's vulnerable to more authentication bypasses that aren't resolved by GHSA-m9hp-7r99-94h5.
In addition, the upstream maintainer of the XML signature validation library doesn't have confidence in the protocol as a whole https://news.ycombinator.com/item?id=25424267. That means the author of the connector (me), the maintainer of the sig validation library (Russell), and the maintainer of encoding/xml golang/go#43168 don't think this code meets any strong security guarantees.
Describe the solution you'd like to see
I'd propose deprecating the SAML connector to communicate the risks of using it, which I believe are different enough from other connectors that it's worth calling out. If a user has a choice between OAuth2, OIDC, or SAML, they should always use OAuth2 or OIDC.
Describe alternatives you've considered
If there are companies invested in this code, they might consider providing resources for a subject matter expert that can give this connector the attention it needs (maybe from https://github.com/dexidp/dex/blob/master/ADOPTERS.md?).
Additional context
Beta Was this translation helpful? Give feedback.
All reactions