pac4j-saml: AuthnRequest compliance issue
219 views
Skip to first unread message
csn
Sep 29, 2021, 10:45:57 PM9/29/21
to Pac4j users mailing list
Hi,
Found an issue with org.pac4j.saml.sso.impl.SAML2AuthnRequestBuilder class in pac4j-saml module which does not comply to SAML 2.0 specification.
According to specification document https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 3.4.1 Element <AuthnRequest>,
AssertionConsumerServiceIndex [Optional]
Indirectly identifies the location to which the <Response> message should be returned to the
requester. It applies only to profiles in which the requester is different from the presenter, such as the
Web Browser SSO profile in [SAMLProf]. The identity provider MUST have a trusted means to map
the index value in the attribute to a location associated with the requester. [SAMLMeta] provides one
possible mechanism. If omitted, then the identity provider MUST return the <Response> message to
the default location associated with the requester for the profile of use. If the index specified is invalid,
then the identity provider MAY return an error <Response> or it MAY use the default location. This
attribute is mutually exclusive with the AssertionConsumerServiceURL and ProtocolBinding
attributes.
AssertionConsumerServiceURL [Optional]
Specifies by value the location to which the <Response> message MUST be returned to the
requester. The responder MUST ensure by some means that the value specified is in fact associated
with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing
<AuthnRequest> message is another. This attribute is mutually exclusive with the
AssertionConsumerServiceIndex attribute and is typically accompanied by the
ProtocolBinding attribute.
ProtocolBinding [Optional]
A URI reference that identifies a SAML protocol binding to be used when returning the <Response>
message. See [SAMLBind] for more information about protocol bindings and URI references defined
for them. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute
and is typically accompanied by the AssertionConsumerServiceURL attribute.
AuthnRequest should provide either AssertionConsumerServiceIndex or AssertionConsumerServiceURL + ProtocolBinding.
However, the code
if (this.configuration.getAssertionConsumerServiceIndex() >= 0) {
request.setAssertionConsumerServiceIndex(this.configuration.getAssertionConsumerServiceIndex() );
} else {
request.setAssertionConsumerServiceURL(assertionConsumerService.getLocation());
}
request.setProtocolBinding(assertionConsumerService.getBinding());
creates the authentication request with AssertionConsumerServiceIndex + ProtocolBinding.
Below is the AuthnRequest sent to the IdP.
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceIndex="0"
AttributeConsumingServiceIndex="1"
Destination="https://login.microsoftonline.com/0123456789abcd/saml2"
ForceAuthn="true"
ID="_8e959c714077415f855eaf65a183a8f4b7252be"
IsPassive="false"
IssueInstant="2021-09-28T04:42:55.497Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="MyCompany::SP1"
Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="urn:mace:saml:pac4j.org">urn:mace:saml:pac4j.org</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
Hence, get rejected by the IdP.
AADSTS900237: AssertionConsumerServiceIndex cannot be set when ProtocolBinding or AssertionConsumerServiceUrl are set.
Regards,
SN Chok
Jérôme LELEU
Oct 7, 2021, 3:06:34 AM10/7/21
to csn, Pac4j users mailing list
Hi,
You're right.
I fixed the issue: https://github.com/pac4j/pac4j/commit/8ba3a69869ce838fa593dea73b846a5e54ba727c
It will be available in v5.1.4.
Thanks.
Best regards,
Jérôme
It will be available in v5.1.4.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/7ad66b58-c6ce-42a9-bb08-4e3405bb7ebdn%40googlegroups.com.
csn
Oct 7, 2021, 10:11:12 PM10/7/21
to Pac4j users mailing list
Thank you.
Message has been deleted
Message has been deleted
Rohit Pawar
Jul 11, 2023, 4:43:34 AM7/11/23
to Please use https://stackoverflow.com with the pac4j tag
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="xyz/commerce/control/duoResponseHandler?client_name=SAML2Client"
AttributeConsumingServiceIndex="1"
IssueInstant="2023-07-11T08:27:22.971Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="pac4j-saml"
Why still with your changes, when I set AttributeConsumingServiceIndex in the config I The saml-request is generated like that all things are placed, should I have to change anything?
according to your changes, the expected is that the ACSURL and ProtocolBinding will be removed from the request .
Why still with your changes, when I set AttributeConsumingServiceIndex in the config I The saml-request is generated like that all things are placed, should I have to change anything?
according to your changes, the expected is that the ACSURL and ProtocolBinding will be removed from the request .
Reply all
Reply to author
Forward
0 new messages