From 8e1efb52bea338e43fed0e1d7ca4a0da234990a9 Mon Sep 17 00:00:00 2001
From: maximthomas <maxim.thomas@gmail.com>
Date: Fri, 14 Jul 2023 10:50:57 +0300
Subject: [PATCH 1/2] deny unsigned SAML response

---
 .../src/main/java/com/sun/identity/saml/common/SAMLUtils.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java b/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java
index 7e78b60e41..0cf20cbb39 100644
--- a/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java
+++ b/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java
@@ -951,6 +951,10 @@ public static Response getResponse(byte [] bytes) {
      */
     public static boolean verifyResponse(Response response,
     String requestUrl, HttpServletRequest request) {
+        if(!response.isSigned()) {
+            debug.message("verifyResponse: Response is not signed");
+            return false;
+        }
         if (!response.isSignatureValid()) {
             debug.message("verifyResponse: Response's signature is invalid.");
             return false;

From d6ba6eb3d58c8e8209db5c286454f6ac94486190 Mon Sep 17 00:00:00 2001
From: maximthomas <maxim.thomas@gmail.com>
Date: Fri, 14 Jul 2023 13:03:46 +0300
Subject: [PATCH 2/2] deny unsigned SAML response

---
 .../java/com/sun/identity/saml/common/SAMLUtils.java | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java b/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java
index 0cf20cbb39..6c8c90e164 100644
--- a/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java
+++ b/openam-federation/openam-federation-library/src/main/java/com/sun/identity/saml/common/SAMLUtils.java
@@ -1589,13 +1589,13 @@ public static Map processResponse(Response samlResponse, String target)
         List assertions = null;    
         SAMLServiceManager.SOAPEntry partnerdest = null;
         Subject assertionSubject = null;
-        if (samlResponse.isSigned()) {
-            // verify the signature
-            boolean isSignedandValid = verifySignature(samlResponse);
-            if (!isSignedandValid) {
-                throw new SAMLException(bundle.getString("invalidResponse"));
-            }
+
+        // verify the signature
+        boolean isSignedandValid = verifySignature(samlResponse);
+        if (!isSignedandValid) {
+            throw new SAMLException(bundle.getString("invalidResponse"));
         }
+
         // check Assertion and get back a Map of relevant data including,
         // Subject, SOAPEntry for the partner and the List of Assertions.
         Map ssMap = verifyAssertionAndGetSSMap(samlResponse);