Bug #1298
SAML 2.0 HTTP-POST RelayState not forwarded to the SP
0%
Description
Hello,
Here is the configuration :
IDP : Authentic
SP : my SAML 2.0 Server
My SP server initiated a HTTP-POST AuthnRequest with a "RelayState" to Authentic (IDP), and after some debugging I figured out that Authentic doesn't forward the RelayState.
Here is my debugging trace in the return_saml2 function (saml2/common.py) :
/usr/local/lib/python2.7/dist-packages/authentic2/saml/common.py(171)return_saml()
-> 'relay_state': profile.msgRelayState},
(Pdb) p profile.msgRelayState
None
(Pdb) p request._get_post()['RelayState']
u'LCkji5FkDJ2dDYe3oHh53uoYID00B'
- common.py 2012-03-06 14:23:07.941738320 +0100
--- common_patch.py 2012-03-07 09:10:45.181745846 +0100 ******* - 166,172 **
'url': profile.msgUrl,
'fieldname': field_name,
'body': profile.msgBody,
! 'relay_state': profile.msgRelayState },
context_instance=context_instance)
return HttpResponse(profile.msgBody, mimetype = 'text/xml')
elif profile.msgUrl:
--- 166,172 ----
'url': profile.msgUrl,
'fieldname': field_name,
'body': profile.msgBody,
! 'relay_state': request._get_post()['RelayState']},
context_instance=context_instance)
return HttpResponse(profile.msgBody, mimetype = 'text/xml')
elif profile.msgUrl:
According to the SAML2 norm, for a HTTP-POST AuthnRequest : ( http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf p 22 ) :
If a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the request into the corresponding RelayState parameter in the response.
What do you think about it ? Did I miss something ?
Regards
Demandes liées
Historique
Mis à jour par Mikaël Ates (de retour le 29 avril) il y a environ 12 ans
Hello,
Authentic 2 does not support the POST binding for AuthnRequest, only the Redirect binding.
As defined in the conformance document of the SAML2 specifications, the POST binding for the AuthnRequest is possible. However, only the redirect binding is present in the feature matrix used for conformance.
Is is not explicit looking at the code since some parts are designed for a future support of the POST binding. We'll also update the feature part of the documentation to explicit that.
It is still interesting to know that you use it.
Regards,
Mikaël
Mis à jour par Arnaud Maillet il y a environ 12 ans
Good to know!
I was mistaken by the metadata of the IDP and the code :). And yes it works really well If I use HTTP-Redirect ! In my case my little patch was sufficient to make Authentic work with HTTP-POST.
Thank you for your time.
Regards,
Mis à jour par Mikaël Ates (de retour le 29 avril) il y a environ 12 ans
- Statut changé de Nouveau à 7
Mis à jour par Mikaël Ates (de retour le 29 avril) il y a environ 4 ans
- Lié à Development #40722: idp_saml2: le relaystate n'est pas conservé si on reçoit une requête de SSO en POST ajouté