logout request not url encoded
96 views
Skip to first unread message
Enrico Cavalli
Dec 13, 2017, 3:44:44 AM12/13/17
to SimpleSAMLphp
Hello, is it normal for a SP (non simplesaml) to send single logout request NOT url encoded?
I mean if in the HTTP GET request there is a "+" instead of "%2B"
Simplsaml gives an exception error but I suppose it cannot do otherwise? The application will never receive
correct base64 data ....
Am I wrong ?
Thank you,
Enrico.
Backtrace: 1 www/_include.php:17 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: Exception: Error while inflating SAML message. Backtrace: 2 vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:119 (SAML2\HTTPRedirect::receive) 1 modules/saml/lib/IdP/SAML2.php:540 (sspmod_saml_IdP_SAML2::receiveLogoutMessage) 0 www/saml2/idp/SingleLogoutService.php:23 (N/A)
Peter Schober
Dec 13, 2017, 8:24:40 AM12/13/17
to SimpleSAMLphp
* Enrico Cavalli <enrico....@gmail.com> [2017-12-13 09:44]:
encoding things correctly, whether that's the deflate encoding or
urlencoding or anything else prescribed by the SAML and possibly HTTP
specifications) will break stuff, sure.
If by "normal" you mean whether others encouter these things often:
Personally I've never had this happen. (That just means I have not
federated with the SP you're trying to, of course.)
-peter
> Hello, is it normal for a SP (non simplesaml) to send single logout
> request NOT url encoded?
Not sure what you're asking. Sending incorrect data (such as not
> request NOT url encoded?
encoding things correctly, whether that's the deflate encoding or
urlencoding or anything else prescribed by the SAML and possibly HTTP
specifications) will break stuff, sure.
If by "normal" you mean whether others encouter these things often:
Personally I've never had this happen. (That just means I have not
federated with the SP you're trying to, of course.)
-peter
Enrico Cavalli
Dec 15, 2017, 4:40:28 AM12/15/17
to simple...@googlegroups.com
Literally this is what I am seeing at the HTTP protocol level
GET https://idp.iulm.it/simplesaml/saml2/idp/SingleLogoutService.php?SAMLResponse=jZLRaoMwFIbv9xSS+2qS1qihWsbKoLDdzK4XuxkxPbYBTcQTxx5/2q6sjFF2GXL+7z98yXL12TbBB/RonM0JCykJwGq3N/aQk9ft4ywlq+JuiapteCef3MEN/gWwcxYhWAN6Y5U/ZY/edyijyOy70AxNGxofoWm7BqZwdCJMl1E5shs4o0roP4yGsDt2JNisc/IusrlgrIqTOE4qUYk6qRdMJ6mgFFRNx/029rLA1o0BvaAJrVgyp3WtdJXxjMeZFtWcaSZiriijC6FZyvkYRRxgY9Er63PCKUtmjM9YvKWZnMeSpmEi0jcS7C5C+CRkVGRRnhXkZOitdAoNSqtaQOm1LO+fn+Q4KrveeaddQ4qzMXkq7K8JtwEKEfrJJyn+7bMFr/bKq0niMrruLS7vVnrlB/x1fHB7CHaqGeD2TnialuWgNSCSqPgu+cFGf36P4gs= HTTP/1.1
a base64 decode and inflate shows it is a correct LogoutResponse, but it will never reach the application level (simplesaml idp)
because not being encoded at the HTTP protocol level.
I suppose there is no way to remediate.
I'm talking of ex-libris (alma) as service provider.
Best regards,
Enrico.
GET https://idp.iulm.it/simplesaml/saml2/idp/SingleLogoutService.php?SAMLResponse=jZLRaoMwFIbv9xSS+2qS1qihWsbKoLDdzK4XuxkxPbYBTcQTxx5/2q6sjFF2GXL+7z98yXL12TbBB/RonM0JCykJwGq3N/aQk9ft4ywlq+JuiapteCef3MEN/gWwcxYhWAN6Y5U/ZY/edyijyOy70AxNGxofoWm7BqZwdCJMl1E5shs4o0roP4yGsDt2JNisc/IusrlgrIqTOE4qUYk6qRdMJ6mgFFRNx/029rLA1o0BvaAJrVgyp3WtdJXxjMeZFtWcaSZiriijC6FZyvkYRRxgY9Er63PCKUtmjM9YvKWZnMeSpmEi0jcS7C5C+CRkVGRRnhXkZOitdAoNSqtaQOm1LO+fn+Q4KrveeaddQ4qzMXkq7K8JtwEKEfrJJyn+7bMFr/bKq0niMrruLS7vVnrlB/x1fHB7CHaqGeD2TnialuWgNSCSqPgu+cFGf36P4gs= HTTP/1.1
a base64 decode and inflate shows it is a correct LogoutResponse, but it will never reach the application level (simplesaml idp)
because not being encoded at the HTTP protocol level.
I suppose there is no way to remediate.
I'm talking of ex-libris (alma) as service provider.
Best regards,
Enrico.
Peter Schober
Dec 15, 2017, 5:04:51 AM12/15/17
to simple...@googlegroups.com
* Enrico Cavalli <enrico....@gmail.com> [2017-12-15 10:46]:
ask at <saml...@lists.oasis-open.org>.
If they in fact have a bug that would be huge (and should be reported
to them, of course), as Alma is a global service (soon to be) used by
thousands of institutions.
-peter
> I'm talking of ex-libris (alma) as service provider.
For clarifications of what's legal in SAML and what not you can always
ask at <saml...@lists.oasis-open.org>.
If they in fact have a bug that would be huge (and should be reported
to them, of course), as Alma is a global service (soon to be) used by
thousands of institutions.
-peter
Enrico Cavalli
Jan 8, 2018, 2:36:29 PM1/8/18
to simple...@googlegroups.com
I reported to alma but did not receive any response yes (probably I didn't reach the correct people yet).
I'll let you know if I receive any news.
Sorry for the late reply but I missed your response.
Enrico.
I'll let you know if I receive any news.
Sorry for the late reply but I missed your response.
Enrico.
Peter Schober
Jan 12, 2018, 1:18:38 PM1/12/18
to simple...@googlegroups.com
* Enrico Cavalli <enrico....@gmail.com> [2018-01-08 20:36]:
should report it. What I suggested was asking about guidance on the
saml-dev mailing list what they think of this.
-peter
> I reported to alma but did not receive any response yes (probably I
> didn't reach the correct people yet).
> I'll let you know if I receive any news.
Thanks, but I didn't say they have a bug, just that if they did you
> didn't reach the correct people yet).
> I'll let you know if I receive any news.
should report it. What I suggested was asking about guidance on the
saml-dev mailing list what they think of this.
-peter
Enrico Cavalli
Jan 16, 2018, 9:50:27 AM1/16/18
to simple...@googlegroups.com
It seems a bug:
https://lists.oasis-open.org/archives/saml-dev/201801/msg00001.html
pretty definitive I suppose.
Thanks
(still struggling to talk to ex-libris).
Reply all
Reply to author
Forward
0 new messages