Project

General

Profile

Bug #1309

has_synchronous_methods is designed when Authentic is IDP and not when Authentic is SP

Added by Arnaud Maillet almost 8 years ago. Updated over 4 years ago.

Status:
Fermé
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
13 Mar 2012
Due date:
% Done:

0%

Patch proposed:
Planning:
No

Description

Hello,

Here is my configuration :

SP : Authentic
IDP : My server

When the SP (Authentic) builds an Authnrequest (Single Sign On) for the IDP (my server) there is a call to :

lasso_saml20_provider_get_first_http_method

This method retrieves the supported binding "SingleSignOnService" of the IDP and checks that this one is synchronous :

if (http_method_kind(result) == SYNCHRONOUS
&& ! has_synchronous_methods(provider, protocol_type))
continue;

For example result = LASSO_HTTP_METHOD_REDIRECT and protocol_type = LASSO_MD_PROTOCOL_TYPE_SINGLE_SIGN_ON.

If the retrieved method of the IDP is synchronous, this one also check that the provider (SP) has synchronous methods to retrieve the SAMLResponse of the IDP :

if (http_method_kind(result) == SYNCHRONOUS
&& ! has_synchronous_methods(provider, protocol_type))
continue;

The problem of "has_synchronous_methods" is :

kind = profile_names[protocol_type]; // in our case : kind = "SingleSignOnService"

if (endpoint_type && lasso_strisequal(endpoint_type->kind, kind)) {
result = binding_uri_to_http_method(endpoint_type->binding);
if (http_method_kind(result) == SYNCHRONOUS)
return TRUE;
}

In this configuration, the SP doesn't have a "SingleSignOnService" kind because it's a SP :

<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://192.168.0.25:8000/authsaml2/singleLogout" ResponseLocation="http://192.168.0.25:8000/authsaml2/singleLogoutReturn"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://192.168.0.25:8000/authsaml2/singleLogoutSOAP"/>
<ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://192.168.0.25:8000/authsaml2/manageNameIdSOAP"/>
<ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://192.168.0.25:8000/authsaml2/manageNameId" ResponseLocation="http://192.168.0.25:8000/authsaml2/manageNameIdReturn"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://192.168.0.25:8000/authsaml2/singleSignOnArtifact" index="1"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://192.168.0.25:8000/authsaml2/singleSignOnPost" index="2"/>

I think in this function when the call is made by an SP, kind should be "AssertionConsumerService " :

kind = profile_names[protocol_type]; // should return AssertionConsumerService

Because we have to check that the SP can retrieve the SAMLResponse, and the kind to check is "AssertionConsumerService" and not "SingleSignOnService" when the provider is an SP.

What do you think about that?

Regards,

lasso_saml20_provider_get_first_http_method.diff View (2.04 KB) Benjamin Dauvergne, 17 Mar 2012 01:58 PM

History

#1 Updated by Benjamin Dauvergne almost 8 years ago

Your analysis of the problem is good. I attach a patch to fix it. Could you verify that it really fixes your problem ??

#2 Updated by Arnaud Maillet almost 8 years ago

The patch seems ok, I try with Authentic as an SP and Authentic as an IDP and I didn't find any problem.

#3 Updated by Arnaud Maillet almost 8 years ago

hm I tried with Authentic as an SP and Authentic as an IDP and I didn't find any problem.

#4 Updated by Benjamin Dauvergne over 4 years ago

  • Target version set to future

#5 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from Nouveau to Fermé

Published as part of the 2.3.6 release.

Also available in: Atom PDF