feat(saml): validate MDQ metadata signatures

[leifj]

MDQ Metadata Signature Validation

Problem

The MDQ client (internal/apigw/samlsp/mdq.go) fetches IdP metadata from a Metadata Query Protocol server and parses it with xml.Unmarshal without validating the metadata signature. In SAML federations (e.g., SWAMID, eduGAIN), metadata is typically signed by the federation operator to prevent tampering.

If the MDQ server is compromised or the network path is MITM'd (despite TLS), an attacker could inject malicious IdP metadata containing attacker-controlled signing certificates, enabling them to forge SAML assertions that would pass signature validation.

Current Behavior

// mdq.go — GetIDPMetadata()
var metadata saml.EntityDescriptor
if err := xml.Unmarshal(body, &metadata); err != nil {
    return nil, fmt.Errorf("failed to parse IdP metadata XML: %w", err)
}
// No signature validation!

Expected Behavior

When a metadata signing certificate is configured, the MDQ client should:

1. Parse the XML response and locate the <ds:Signature> element
2. Validate the signature against the configured federation signing certificate
3. Reject metadata with invalid/missing signatures when verification is required

Scope

• Add optional MetadataSigningCertPath field to the SAML config
• When configured, validate XML signatures on fetched metadata using goxmldsig
• Apply to both MDQ and static metadata sources
• Add integration test for signed metadata validation

Risk Assessment

MEDIUM — Requires either MDQ server compromise or network-level attack. TLS provides the primary protection layer, but defense-in-depth requires metadata signature validation for federation deployments.

References

• SAML Metadata Interoperability Profile §3.1 (metadata signature requirements)
• REFEDS MFA Profile (trusted metadata handling)