Bug #1309
has_synchronous_methods is designed when Authentic is IDP and not when Authentic is SP
0%
Description
Hello,
Here is my configuration :
SP : Authentic
IDP : My server
When the SP (Authentic) builds an Authnrequest (Single Sign On) for the IDP (my server) there is a call to :
lasso_saml20_provider_get_first_http_method
This method retrieves the supported binding "SingleSignOnService" of the IDP and checks that this one is synchronous :
if (http_method_kind(result) == SYNCHRONOUS
&& ! has_synchronous_methods(provider, protocol_type))
continue;
For example result = LASSO_HTTP_METHOD_REDIRECT and protocol_type = LASSO_MD_PROTOCOL_TYPE_SINGLE_SIGN_ON.
If the retrieved method of the IDP is synchronous, this one also check that the provider (SP) has synchronous methods to retrieve the SAMLResponse of the IDP :
if (http_method_kind(result) == SYNCHRONOUS
&& ! has_synchronous_methods(provider, protocol_type))
continue;
The problem of "has_synchronous_methods" is :
kind = profile_names[protocol_type]; // in our case : kind = "SingleSignOnService"
if (endpoint_type && lasso_strisequal(endpoint_type->kind, kind)) {
result = binding_uri_to_http_method(endpoint_type->binding);
if (http_method_kind(result) == SYNCHRONOUS)
return TRUE;
}
In this configuration, the SP doesn't have a "SingleSignOnService" kind because it's a SP :
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://192.168.0.25:8000/authsaml2/singleLogout" ResponseLocation="http://192.168.0.25:8000/authsaml2/singleLogoutReturn"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://192.168.0.25:8000/authsaml2/singleLogoutSOAP"/>
<ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://192.168.0.25:8000/authsaml2/manageNameIdSOAP"/>
<ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://192.168.0.25:8000/authsaml2/manageNameId" ResponseLocation="http://192.168.0.25:8000/authsaml2/manageNameIdReturn"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://192.168.0.25:8000/authsaml2/singleSignOnArtifact" index="1"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://192.168.0.25:8000/authsaml2/singleSignOnPost" index="2"/>
I think in this function when the call is made by an SP, kind should be "AssertionConsumerService " :
kind = profile_names[protocol_type]; // should return AssertionConsumerService
Because we have to check that the SP can retrieve the SAMLResponse, and the kind to check is "AssertionConsumerService" and not "SingleSignOnService" when the provider is an SP.
What do you think about that?
Regards,
Fichiers
Historique
Mis à jour par Benjamin Dauvergne il y a environ 12 ans
- Fichier lasso_saml20_provider_get_first_http_method.diff lasso_saml20_provider_get_first_http_method.diff ajouté
Your analysis of the problem is good. I attach a patch to fix it. Could you verify that it really fixes your problem ??
Mis à jour par Arnaud Maillet il y a environ 12 ans
The patch seems ok, I try with Authentic as an SP and Authentic as an IDP and I didn't find any problem.
Mis à jour par Arnaud Maillet il y a environ 12 ans
hm I tried with Authentic as an SP and Authentic as an IDP and I didn't find any problem.
Mis à jour par Benjamin Dauvergne il y a plus de 8 ans
- Statut changé de Nouveau à Fermé
Published as part of the 2.3.6 release.