|
AuthnRequests that fail in the IdP Valve due to an Exception being thrown respond with an incomplete samlp:Response.
For example:
Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://myshibsp.example.com/Shibboleth.sso/SAML2/POST"
Destination="http://dev1-idp.example.com/idp/"
ID="_4cc733c3ba0eb678f953f02e6ba49c6f"
IssueInstant="2014-09-06T01:18:45Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myshibsp.example.com/Shibboleth</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>
Response (signature truncated for simplicity)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_f089f5cb-d720-4f29-bf99-fc7bff4884d7"
IssueInstant="2014-09-06T01:19:03.058Z"
Version="2.0"
>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
</samlp:StatusCode>
</samlp:Status>
<dsig:Signature />
</samlp:Response>
When using an alternate SP, such as the Shibboleth SP, this results in an error:
opensaml::BindingException
Signed SAML message missing Destination attribute identifying intended destination.
The response above is missing the destination attribute, which should be present:
-
Destination is required when the SAML is signed with Redirect binding, section 3.4.5.2 of the saml-bindings 2.0 spec (line 661 - 663)
-
Destination is required when the SAML is signed with the Post binding, section 3.5.5.2 of the saml-bindings 2.0 spec (line 843 - 845)
After patching so that @Destination is present and based off of th, Shib processes the request instead of erroring. The same request/response are as follows:
Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://myshibsp.example.com/Shibboleth.sso/SAML2/POST"
Destination="http://dev1-idp.example.com/idp/"
ID="_d59555da9181ce8bc9a65f28e6dd8a8a"
IssueInstant="2014-09-06T01:26:56Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myshibsp.example.com/Shibboleth</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>
Response (signature truncated for simplicity)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://myshibsp.example.com/Shibboleth.sso/SAML2/POST"
ID="ID_70635972-9bdb-4069-8e6b-7e4aa0a42695"
IssueInstant="2014-09-06T01:27:20.063Z"
Version="2.0"
>
<dsig:Signature />
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
</samlp:StatusCode>
</samlp:Status>
</samlp:Response>
The submitted pull request always includes the destination.
|
