Project

General

Profile

0001-PAOS-Do-not-populate-Destination-attribute.patch

patch rev 3 - Dmitrii S., 03 Jul 2019 08:10 AM

Download (4.08 KB)

View differences:

Subject: [PATCH] PAOS: Do not populate "Destination" attribute

When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
populates an AuthnRequest with the "Destination" attribute set to
AssertionConsumerURL of an SP - this leads to IdP-side errors because
the destination attribute in the request does not match the IdP URL.

The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
avoid setting that optional attribute because an ECP decides which IdP
to use, not the SP.

Fixes Bug: 34409
Signed-off-by: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
 lasso/saml-2.0/login.c   | 18 +++++++++---------
 lasso/saml-2.0/profile.c | 10 +++++++++-
 2 files changed, 18 insertions(+), 10 deletions(-)
lasso/saml-2.0/login.c
222 222
gint
223 223
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
224 224
{
225
	char *url = NULL;
225
	char *assertionConsumerServiceURL = NULL;
226 226
	gboolean must_sign = TRUE;
227 227
	LassoProfile *profile;
228 228
	LassoSamlp2AuthnRequest *authn_request;
......
247 247
	}
248 248

  
249 249
	if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
250

  
251 250
		/*
252 251
		 * PAOS is special, the url passed to build_request is the
253 252
		 * AssertionConsumerServiceURL of this SP, not the
254
		 * destination.
253
		 * destination IdP URL. This is done to fill paos:responseConsumerURL
254
		 * appropriately down the line in build_request_msg.
255
		 * See https://dev.entrouvert.org/issues/34409 for more information.
255 256
		 */
256 257
		if (authn_request->AssertionConsumerServiceURL) {
257
			url = authn_request->AssertionConsumerServiceURL;
258
			assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
258 259
			if (!lasso_saml20_provider_check_assertion_consumer_service_url(
259
					LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
260
					LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
260 261
				rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
261 262
				goto cleanup;
262 263
			}
263 264
		} else {
264
			url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
265
			assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
265 266
					LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
266
			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
267
			lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
267 268
		}
268 269
	}
269 270

  
270

  
271 271
	lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
272
				login->http_method, url));
272
				login->http_method, assertionConsumerServiceURL));
273 273

  
274 274
cleanup:
275 275
	return rc;
lasso/saml-2.0/profile.c
968 968
		made_url = url = get_url(provider, service, http_method_to_binding(method));
969 969
	}
970 970

  
971
	if (url) {
971

  
972
	// Usage of the Destination attribute on a request is mandated only
973
	// in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
974
	// and is marked as optional in the XSD schema otherwise.
975
	// PAOS is a special case because an SP does not select an IdP - ECP does
976
	// it instead. Therefore, this attribute needs to be left unpopulated.
977
	if (method == LASSO_HTTP_METHOD_PAOS) {
978
		lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
979
	} else if (url) {
972 980
		lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
973 981
				url);
974 982
	} else {
975
-