Add security policy for blocking unsolicited responses (#15)

* Update security-policy.xml * Update shibboleth2.xml * Update shibboleth2.xml
italia · May 7, 2021 · 79d163e · 79d163e
1 parent 6f54964
commit 79d163e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/shibboleth/security-policy.xml b/shibboleth/security-policy.xml
@@ -20,6 +20,22 @@
         <PolicyRule type="XMLSigning" errorFatal="true"/>
         <PolicyRule type="SimpleSigning" errorFatal="true"/>
     </Policy>
+
+    <!-- 
+    Required for passing SPID compliance tests 16, 17 and 18.
+    This blocks uncorrelated responses with unspecified, 
+    missing or wrong inResponseTo response attribute
+    -->
+    <Policy id="blockUnsolicited" validate="false">
+        <PolicyRule type="MessageFlow" blockUnsolicited="true" checkReplay="true" expires="60" checkCorrelation="true"/>
+        <PolicyRule type="Conditions">
+            <PolicyRule type="Audience"/>
+        </PolicyRule>
+        <PolicyRule type="ClientCertAuth" errorFatal="true"/>
+        <PolicyRule type="XMLSigning" errorFatal="true"/>
+        <PolicyRule type="SimpleSigning" errorFatal="true"/>
+        <PolicyRule type="Bearer" blockUnsolicited="true"/>
+    </Policy>	
 
     <!--
     This policy is a place-holder for use of assertions in metadata

diff --git a/shibboleth/shibboleth2.xml b/shibboleth/shibboleth2.xml
@@ -17,6 +17,7 @@
         signingAlg="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" encryption="false"
         authnContextClassRef="https://www.spid.gov.it/SpidL2" authnContextComparison="exact"
         NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+        policyId="blockUnsolicited"
         cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
 
         <!--