Project

General

Profile

0001-PAOS-Do-not-populate-Destination-attribute.patch

Dmitrii S., 28 Jun 2019 01:46 AM

Download (4.36 KB)

View differences:

Subject: [PATCH] PAOS: Do not populate "Destination" attribute

When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
populates an AuthnRequest with the "Destination" attribute set to
AssertionConsumerURL of an SP - this leads to IdP-side errors because
the destination attribute in the request does not match the IdP URL.

The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
avoid setting that optional attribute because an ECP decides which IdP
to use, not the SP.

Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
 lasso/saml-2.0/login.c   | 27 +++++++++++++++++----------
 lasso/saml-2.0/profile.c | 11 ++++++++++-
 2 files changed, 27 insertions(+), 11 deletions(-)
lasso/saml-2.0/login.c
222 222
gint
223 223
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
224 224
{
225
	char *url = NULL;
225
	char *consumer_url = NULL;
226 226
	gboolean must_sign = TRUE;
227 227
	LassoProfile *profile;
228 228
	LassoSamlp2AuthnRequest *authn_request;
......
247 247
	}
248 248

  
249 249
	if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
250

  
251 250
		/*
252
		 * PAOS is special, the url passed to build_request is the
251
		 * PAOS is special, as the destination is determined
252
		 * by a client (ECP), not an SP. The saml-bindings-2.0-os
253
		 * specification only describes the use of the destination
254
		 * attribute for HTTP redirect binding and HTTP POST binding,
255
		 * not PAOS. So the destination attribute must be left unset to
256
		 * avoid IdP-side errors.
257
		 *
258
		 * However, the url passed to build_request is the
253 259
		 * AssertionConsumerServiceURL of this SP, not the
254
		 * destination.
260
-                * destination IdP URL. The build_request function handles
261
                 * PAOS as a special case in terms of populating the
262
		 * destination attribute.
255 263
		 */
256 264
		if (authn_request->AssertionConsumerServiceURL) {
257
			url = authn_request->AssertionConsumerServiceURL;
265
			consumer_url = authn_request->AssertionConsumerServiceURL;
258 266
			if (!lasso_saml20_provider_check_assertion_consumer_service_url(
259
					LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
267
					LASSO_PROVIDER(profile->server), consumer_url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
260 268
				rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
261 269
				goto cleanup;
262 270
			}
263 271
		} else {
264
			url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
272
			consumer_url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
265 273
					LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
266
			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
274
			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, consumer_url);
267 275
		}
268 276
	}
269 277

  
270

  
271 278
	lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
272
				login->http_method, url));
279
				login->http_method, consumer_url));
273 280

  
274 281
cleanup:
275 282
	return rc;
lasso/saml-2.0/profile.c
968 968
		made_url = url = get_url(provider, service, http_method_to_binding(method));
969 969
	}
970 970

  
971
	if (url) {
971

  
972
	// Usage of the Destination attribute on a request is mandated only
973
	// in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
974
	// and is marked as optional in the XSD schema otherwise.
975
	// PAOS is a special case because an SP does not select an IdP - ECP does
976
	// it instead. Therefore, this attribute needs to be left unpopulated.
977
	if (method == LASSO_HTTP_METHOD_PAOS) {
978
		lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
979
				NULL);
980
	} else if (url) {
972 981
		lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
973 982
				url);
974 983
	} else {
975
-