Project

General

Profile

Development #33354

WantAuthnRequestsSigned ignored in IDP metadata

Added by Maxime Besson 9 months ago. Updated 6 months ago.

Status:
Solution déployée
Priority:
Normal
Category:
-
Target version:
Start date:
22 May 2019
Due date:
% Done:

100%

Patch proposed:
Yes
Planning:
No

Description

The following code from saml-2.0/login.c looks a lot like it's wrong:

static gboolean want_authn_request_signed(LassoProvider *provider) {
    char *s;
    gboolean rc = FALSE;

    s = lasso_provider_get_metadata_one_for_role(provider, LASSO_PROVIDER_ROLE_IDP,
            LASSO_SAML2_METADATA_ATTRIBUTE_WANT_AUTHN_REQUEST_SIGNED);
    if (lasso_strisequal(s,"false")) {
        rc = FALSE;
    }
    lasso_release_string(s);
    return rc;
}

This function always returns FALSE regardless of what IDP metadata says in WantAuthnRequestsSigned. Which means that when using LASSO_PROFILE_SIGNATURE_HINT_MAYBE, the choice is entirely left to SP metadata's AuthnRequestsSigned attribute.

0001-Do-not-ignore-WantAuthnRequestSigned-value-with-hint.patch View (923 Bytes) Benjamin Dauvergne, 23 May 2019 10:04 AM

Associated revisions

Revision b0fb24c9 (diff)
Added by Benjamin Dauvergne 9 months ago

Do not ignore WantAuthnRequestSigned value with hint MAYBE (fixes #33354)

Bug introduced in commit 394680712.

History

#1 Updated by Benjamin Dauvergne 9 months ago

  • Status changed from Nouveau to Résolu (à déployer)

You are right it was modified in this commit :

commit 39468071222aecf4e95697c832870aecf8e0dd71
Author: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date:   Mon Aug 24 10:24:27 2015 +0200

    saml-2.0/login.c: change default value of WantAuthnRequestSigned (fixes #8105)

    Specification says it should default to FALSE. We comply.

but I should have modified the strisequal too.

#2 Updated by Benjamin Dauvergne 9 months ago

  • Assignee set to Benjamin Dauvergne

#3 Updated by Benjamin Dauvergne 9 months ago

#4 Updated by Frédéric Péters 9 months ago

  • Status changed from Solution proposée to Solution validée

It's missing a space before "true". Ack with that change.

#5 Updated by Benjamin Dauvergne 9 months ago

  • Status changed from Solution validée to Résolu (à déployer)
commit b0fb24c95150c2f4f8eb681fcd9a9f3d7fb2a566
Author: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date:   Thu May 23 10:02:33 2019 +0200

    Do not ignore WantAuthnRequestSigned value with hint MAYBE (fixes #33354)

    Bug introduced in commit 394680712.

#6 Updated by Benjamin Dauvergne 9 months ago

  • % Done changed from 0 to 100

#7 Updated by Benjamin Dauvergne 6 months ago

  • Target version set to 2.6.1

#8 Updated by Benjamin Dauvergne 6 months ago

  • Status changed from Résolu (à déployer) to Solution déployée

Also available in: Atom PDF