Bug #1309
has_synchronous_methods is designed when Authentic is IDP and not when Authentic is SP
0%
Description
Hello,
Here is my configuration :
SP : Authentic
IDP : My server
When the SP (Authentic) builds an Authnrequest (Single Sign On) for the IDP (my server) there is a call to :
lasso_saml20_provider_get_first_http_method
This method retrieves the supported binding "SingleSignOnService" of the IDP and checks that this one is synchronous :
if (http_method_kind(result) == SYNCHRONOUS
&& ! has_synchronous_methods(provider, protocol_type))
continue;
For example result = LASSO_HTTP_METHOD_REDIRECT and protocol_type = LASSO_MD_PROTOCOL_TYPE_SINGLE_SIGN_ON.
If the retrieved method of the IDP is synchronous, this one also check that the provider (SP) has synchronous methods to retrieve the SAMLResponse of the IDP :
if (http_method_kind(result) == SYNCHRONOUS
&& ! has_synchronous_methods(provider, protocol_type))
continue;
The problem of "has_synchronous_methods" is :
kind = profile_names[protocol_type]; // in our case : kind = "SingleSignOnService"
if (endpoint_type && lasso_strisequal(endpoint_type->kind, kind)) {
result = binding_uri_to_http_method(endpoint_type->binding);
if (http_method_kind(result) == SYNCHRONOUS)
return TRUE;
}
In this configuration, the SP doesn't have a "SingleSignOnService" kind because it's a SP :
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://192.168.0.25:8000/authsaml2/singleLogout" ResponseLocation="http://192.168.0.25:8000/authsaml2/singleLogoutReturn"/>
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://192.168.0.25:8000/authsaml2/singleLogoutSOAP"/>
<ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://192.168.0.25:8000/authsaml2/manageNameIdSOAP"/>
<ns0:ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://192.168.0.25:8000/authsaml2/manageNameId" ResponseLocation="http://192.168.0.25:8000/authsaml2/manageNameIdReturn"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://192.168.0.25:8000/authsaml2/singleSignOnArtifact" index="1"/>
<ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://192.168.0.25:8000/authsaml2/singleSignOnPost" index="2"/>
I think in this function when the call is made by an SP, kind should be "AssertionConsumerService " :
kind = profile_names[protocol_type]; // should return AssertionConsumerService
Because we have to check that the SP can retrieve the SAMLResponse, and the kind to check is "AssertionConsumerService" and not "SingleSignOnService" when the provider is an SP.
What do you think about that?
Regards,
Files
History
Updated by Benjamin Dauvergne over 12 years ago
- File lasso_saml20_provider_get_first_http_method.diff lasso_saml20_provider_get_first_http_method.diff added
Your analysis of the problem is good. I attach a patch to fix it. Could you verify that it really fixes your problem ??
Updated by Arnaud Maillet over 12 years ago
The patch seems ok, I try with Authentic as an SP and Authentic as an IDP and I didn't find any problem.
Updated by Arnaud Maillet over 12 years ago
hm I tried with Authentic as an SP and Authentic as an IDP and I didn't find any problem.
Updated by Benjamin Dauvergne over 9 years ago
- Status changed from Nouveau to Fermé
Published as part of the 2.3.6 release.