Project

General

Profile

Bug #29340

multiple AuthenticatingAuthority elements not allowed in SAML assertion

Added by François Kooman 6 months ago. Updated 5 months ago.

Status:
Résolu (à déployer)
Priority:
Normal
Category:
-
Target version:
Start date:
24 Dec 2018
Due date:
% Done:

0%

Patch proposed:
Yes
Planning:
No

Description

SAML Assertions with multiple AuthenticatingAuthority elements are not allowed in lasso, but are allowed according to the schema.

Attached patch fixes it, but I am not sure it is correct, nor am I completely sure this is the proper way to fix it.

lasso-fix-AuthenticatingAuthority.diff View (760 Bytes) François Kooman, 24 Dec 2018 06:06 PM

Associated revisions

Revision 151ad17e (diff)
Added by Benjamin Dauvergne 5 months ago

xml: adapt schema in saml2:AuthnContext (#29340)

saml2:AuthnContext XML schema indicate that AuthenticatingAuthority is
an optional unbounded list of nodes, but the current Lasso schema only
handle an unique element. To prevent Lasso from refusing perfectly legal
messages, we add a rule to the Lasso ignoring other nodes after the
first one.

History

#1 Updated by Benjamin Dauvergne 5 months ago

This patch cannot work asyou modify the schema but not the structure, SNIPPET_LIST_NODES generate GList objects but the AuthenticatingAuthority is a char *, as we forbid any ABI change (i.e. it's forbidden to change the type of a structure field for now), you'll need to work as in commit 6f617027e9c46f3cb907e8bdbe1d3ef265d2b4d0.

#2 Updated by Benjamin Dauvergne 5 months ago

  • Assignee set to François Kooman
  • Status changed from Nouveau to Information nécessaire

#3 Updated by Benjamin Dauvergne 5 months ago

  • Assignee changed from François Kooman to Benjamin Dauvergne

#4 Updated by Benjamin Dauvergne 5 months ago

  • Status changed from Information nécessaire to Solution proposée

A temporary solution, just ignore other nodes after the first one, it does not offer new functionnalities but it prevents Lasso from refusing correct SAML messages.

#5 Updated by Frédéric Péters 5 months ago

  • Status changed from Solution proposée to Solution validée

Ack, but maybe add a comment on top of the snippet, to explain additional AuthenticatingAuthority are accepted but ignored?

#6 Updated by Benjamin Dauvergne 5 months ago

  • Status changed from Solution validée to Résolu (à déployer)

#7 Updated by Benjamin Dauvergne 5 months ago

  • Target version set to 2.6.1

Also available in: Atom PDF