Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generated AuthnRequest is not compliant with the "regole tecniche" #2

Closed
simevo opened this issue Jul 1, 2018 · 7 comments
Closed

generated AuthnRequest is not compliant with the "regole tecniche" #2

simevo opened this issue Jul 1, 2018 · 7 comments

Comments

@simevo
Copy link
Owner

simevo commented Jul 1, 2018
edited
Loading

sample AuthnRequest from "regole tecniche":

<ns0:AuthnRequest
  xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
  AssertionConsumerServiceURL="http://spidSp.spidSpProvider.it"
  AttributeConsumingServiceIndex="1"
  Destination="https:// spidIdp.spidIdpProvider.it"
  ID="_4d38c302617b5bf98951e65b4cf304711e2166df20"
  IssueInstant="2015-01-29T10:00:31Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  Version="2.0">
  <ns1:Issuer
    NameQualifier="http://spid-sp.it"
    Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
  SPID-sp-test
  </ns1:Issuer>
  <ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
  <ns0:RequestedAuthnContext
    Comparison="exact">
    <ns1:AuthnContextClassRef>
      urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL1
    </ns1:AuthnContextClassRef >
  </ns0:RequestedAuthnContext>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ......</ds:Signature>
</ns0:AuthnRequest>

sample AuthnRequest generated by spid-php2:

<ns0:AuthnRequest
  xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
  AssertionConsumerServiceURL="http://localhost:8000/index.php?acs"
  Destination="http://idp.simevo.com:8088/sso"
  ID="ONELOGIN_b2005214b263804df4ee09e67be44746f47f176b"
  IssueInstant="2018-07-01T14:49:53Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  Version="2.0">
  <ns1:Issuer>http://localhost:8000/metadata.php</ns1:Issuer>
  <ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
  <ns0:RequestedAuthnContext Comparison="exact">
    <ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ns1:AuthnContextClassRef>
  </ns0:RequestedAuthnContext>
</ns0:AuthnRequest>

visual diff:
image

notable differences:

  1. in the Issuer element the attributes Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity” and NameQualifier are missing
  2. the element NameIDPolicy has the Format attribute set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified rather than urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  3. the element RequestedAuthnContext.AuthnContextClassRef contains the value urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport instead of urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL1
@simevo
Copy link
Owner Author

simevo commented Jul 1, 2018
edited
Loading

it seems that this could be fixed by patching saml-php:

  1. Issuer is hardwired here: https://github.com/onelogin/php-saml/blob/3.0.0/src/Saml2/AuthnRequest.php#L145
  2. there's a setting for that: https://github.com/onelogin/php-saml/blob/3.0.0/settings_example.php#L62 and the one we need is supported: https://github.com/onelogin/php-saml/blob/3.0.0/src/Saml2/Constants.php#L35
  3. there's a setting for that: https://github.com/onelogin/php-saml/blob/3.0.0/advanced_settings_example.php#L70

@simevo
Copy link
Owner Author

simevo commented Jul 1, 2018
edited
Loading

quick fix for 1.:

diff AuthnRequest_orginal.php ./vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php 
145c145
<     <saml:Issuer>{$spEntityId}</saml:Issuer>
---
>     <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="http://localhost:8000">{$spEntityId}</saml:Issuer>

simevo pushed a commit that referenced this issue Jul 1, 2018
fix NameIDFormat for #2
7e5153d
@simevo simevo closed this as completed in 8758ed0 Jul 2, 2018
@simevo
Copy link
Owner Author

simevo commented Jul 8, 2018

forwarded to php-saml:
SAML-Toolkits/php-saml#328

@simevo simevo reopened this Jul 8, 2018
@simevo
Copy link
Owner Author

simevo commented Jul 16, 2018

additionally, the NameIDPolicy element is not allowed to have theAllowCreate attribute; here is the complete patch for v 2.x:

56,57c56
<         Format="{$nameIDPolicyFormat}"
<         AllowCreate="true" />
---
>         Format="{$nameIDPolicyFormat}" />
130c129
<     <saml:Issuer>{$spEntityId}</saml:Issuer>
---
>     <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="http://sp2.simevo.com:8000">{$spEntityId}</saml:Issuer>

@simevo simevo mentioned this issue Jul 16, 2018
Open
@simevo simevo closed this as completed in 937ba0a Jul 19, 2018
@simevo simevo mentioned this issue Jul 21, 2018
Closed
@simevo
Copy link
Owner Author

simevo commented Jul 21, 2018

valutare anche queste patch:
https://github.com/italia/spid-laravel/blob/master/patches/php-saml-remove_mcrypt-spid.patch
http://cgit.drupalcode.org/spid/tree/patch/onelogin-php-saml-for-spid.patch

@simevo simevo reopened this Jul 21, 2018
@simevo simevo mentioned this issue Aug 9, 2018
Closed
@simevo
Copy link
Owner Author

simevo commented Aug 11, 2018

LogoutRequest also not compliant:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="ONELOGIN_4dc8ccb81114cefe1d3f695123b02ddf85c51be4"
                     Version="2.0"
                     IssueInstant="2018-08-11T08:57:28Z"
                     Destination="https://idp.simevo.com/slo">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
               NameQualifier="http://sp2.simevo.com:8000">http://sp2.simevo.com:8000</saml:Issuer>
  <saml:NameID SPNameQualifier="http://sp2.simevo.com:8000"
               Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.simevo.com</saml:NameID>
</samlp:LogoutRequest>

testenv2 reports:

Elemento Dettagli errore
saml:NameID NameQualifier: L'attributo è obbligatorio; Format: urn:oasis:names:tc:SAML:2.0:nameid-format:entity è diverso dal valore di riferimento urn:oasis:names:tc:SAML:2.0:nameid-format:transient

screenshot:
image

This was referenced Aug 11, 2018
Open
Open
@simevo
Copy link
Owner Author

simevo commented Aug 11, 2018

no need to patch this time, this is the fix that goes in src/Strategy/SpOneLogin.php around line 166:

+       $nameId = $this->idpName;
+       $nameIdFormat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+       $nameIdNameQualifier = $this->idpName;
+       $sloBuiltUrl = $this->auth->logout(null, array(), $nameId, null, true, $nameIdFormat, $nameIdNameQualifier);
-       $sloBuiltUrl = $this->auth->logout(null, array(), null, null, true);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simevo