Project

General

Profile

Bug #1298

SAML 2.0 HTTP-POST RelayState not forwarded to the SP

Added by Arnaud Maillet over 8 years ago. Updated about 2 years ago.

Status:
Rejeté
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
07 Mar 2012
Due date:
% Done:

0%

Patch proposed:
Planning:
No

Description

Hello,

Here is the configuration :

IDP : Authentic
SP : my SAML 2.0 Server

My SP server initiated a HTTP-POST AuthnRequest with a "RelayState" to Authentic (IDP), and after some debugging I figured out that Authentic doesn't forward the RelayState.

Here is my debugging trace in the return_saml2 function (saml2/common.py) :

/usr/local/lib/python2.7/dist-packages/authentic2/saml/common.py(171)return_saml()

-> 'relay_state': profile.msgRelayState},
(Pdb) p profile.msgRelayState
None
(Pdb) p request._get_post()['RelayState']
u'LCkji5FkDJ2dDYe3oHh53uoYID00B'

I made a little work around :
  • common.py 2012-03-06 14:23:07.941738320 +0100
    --- common_patch.py 2012-03-07 09:10:45.181745846 +0100 *******
  • 166,172 **
    'url': profile.msgUrl,
    'fieldname': field_name,
    'body': profile.msgBody,
    ! 'relay_state': profile.msgRelayState },
    context_instance=context_instance)
    return HttpResponse(profile.msgBody, mimetype = 'text/xml')
    elif profile.msgUrl:
    --- 166,172 ----
    'url': profile.msgUrl,
    'fieldname': field_name,
    'body': profile.msgBody,
    ! 'relay_state': request._get_post()['RelayState']},
    context_instance=context_instance)
    return HttpResponse(profile.msgBody, mimetype = 'text/xml')
    elif profile.msgUrl:

According to the SAML2 norm, for a HTTP-POST AuthnRequest : ( http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf p 22 ) :

If a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the request into the corresponding RelayState parameter in the response.

What do you think about it ? Did I miss something ?

Regards


Related issues

Related to Authentic 2 - Development #40722: idp_saml2: le relaystate n'est pas conservé si on reçoit une requête de SSO en POST Solution déployée 13 Mar 2020

History

#1 Updated by Mikaël Ates over 8 years ago

Hello,

Authentic 2 does not support the POST binding for AuthnRequest, only the Redirect binding.

As defined in the conformance document of the SAML2 specifications, the POST binding for the AuthnRequest is possible. However, only the redirect binding is present in the feature matrix used for conformance.

Is is not explicit looking at the code since some parts are designed for a future support of the POST binding. We'll also update the feature part of the documentation to explicit that.

It is still interesting to know that you use it.

Regards,

Mikaël

#2 Updated by Arnaud Maillet over 8 years ago

Good to know!

I was mistaken by the metadata of the IDP and the code :). And yes it works really well If I use HTTP-Redirect ! In my case my little patch was sufficient to make Authentic work with HTTP-POST.

Thank you for your time.

Regards,

#3 Updated by Mikaël Ates about 8 years ago

  • Status changed from Nouveau to 7

#4 Updated by Benjamin Dauvergne about 2 years ago

  • Status changed from 7 to Rejeté

#5 Updated by Mikaël Ates 3 months ago

  • Related to Development #40722: idp_saml2: le relaystate n'est pas conservé si on reçoit une requête de SSO en POST added

Also available in: Atom PDF