For those customers who have deployed or are presently testing SAML Security options, please take note of this update.
The SAML (Security Assertion Markup Language) sample plugin enables user authentication on the Pentaho Server from a third-party SSO provider. The plugin is configurable with a Service Provider (SP) metadata XML file. This metadata instructs the Pentaho Server (i.e. the SP) how to process SAML assertions, which are used to verify user identity. The assertions are signed with a digital certificate to prevent tampering while they are in transit.
It has come to our attention that some installations may be using misconfigured SP metadata, which allow unsigned assertions to be processed by the Pentaho Server. An unsigned assertion could be modified allowing an unwanted entity to assume the role/identity of any user on the server.
Steps to verify/ensure assertions must be signed to be processed:
- Open the SP metadata XML file configured for the SAML plugin. The file location can be found under the sp.metadata.filesystem property in $PENTAHO_SERVER/pentaho-solutions/system/karaf/etc/pentaho.saml.cfg
- Locate the following XML tag:
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
- Verify the WantAssertionsSigned property is set to true. If it is not, please change it.
- Save the file, then restart the Pentaho Server.
If you have any questions please contact Pentaho Customer Support or your CSM.