[keycloak-dev] Keycloak SAML response 'Destination' Element is always validated.
Bill Burke
bburke at redhat.com
Mon Feb 1 00:27:33 EST 2016
I would say that I'd be reluctant to turn it off. I think this could be
used with the classic case of:
1. Attacker authenticates with his account at SAML IDP
2. Attacker saves the response from the IDP
3. Attack tricks user to visit their rogue website, then tricks browser
to repost the SAML response
4. user now thinks they are logged in, but they are logged in as the
attacker.
On 1/31/2016 11:11 PM, Arulkumar Ponnusamy wrote:
> Hi Bill,
> As per SAML spec, this Destination element is optional. does not this
> validation is optional.
>
> SAML Spec says,
>
> Destination [Optional]
>
> A URI reference indicating the address to which this request has been
> sent. This is useful to prevent
>
> malicious forwarding of requests to unintended recipients, a
> protection that is required by some
>
> protocol bindings. If it is present, the actual recipient MUST check
> that the URI reference identifies the
>
> location at which the message was received. If it does not, the
> request MUST be discarded. Some
>
> protocol bindings may require the use of this attribute (see [SAMLBind]).
>
>
>
> On Thu, Jan 28, 2016 at 9:08 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> IMO, they should provide it irregardless.
>
>
> On 1/28/2016 10:21 AM, Arulkumar Ponnusamy wrote:
>>
>> Yep.. We are trying to integrate with Ping Federate IDP and it
>> causing the authentication failure. But, Ping federate does not
>> give Destination element for signed xml too which we need to
>> follow up with Ping federate.
>>
>> On 28-Jan-2016 8:03 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>> Yes, we validate it. Is this a problem with some third party
>> saml integration?
>>
>> On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
>>> As per OASIS/SAML spec recommendation, If the message is
>>> signed, the Destination XML attribute in the root SAML
>>> element of the protocol message MUST contain the URL to
>>> which the sender has instructed the user agent to deliver
>>> the message. The recipient MUST then verify that the value
>>> matches the location at which the message has been received.
>>>
>>> However, in keycloak, always validate the 'Destination' on
>>> saml response. irrespective of response is signed or not.
>>>
>>> is not a defect?
>>>
>>> Thanks,
>>> Arul kumar P.
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160201/69bc1d3a/attachment-0001.html
More information about the keycloak-dev
mailing list