Details
-
Bug
-
Resolution: Done
-
Major
-
PLINK_2.5.2.FInal
Description
The picketlink IDP is sending a response to an AuthnRequest with an invalid top level status code value. For example:
Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://qa-app/Shibboleth.sso/SAML2/POST" Destination="https://idp-dev1/idp/" ID="_b5087728bfbb1ef6790558e47bcdbaf7" IssueInstant="2014-04-11T18:12:43Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://qa-app/Shibboleth</saml:Issuer> <samlp:NameIDPolicy AllowCreate="1" /> </samlp:AuthnRequest>
Response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_d8c4c4aa-721a-4790-91eb-4f07e7d6bf11" IssueInstant="2014-04-11T18:13:00.654Z" Version="2.0" > <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" /> </samlp:Status> <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/> <!-- truncated --> </samlp:Response>
The statusCode: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
is a second level status code that should not be in the top level spot (per saml2 core spec, https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf, line 1693-1704)
This is causing third party Service providers to not process the message and fail (Shibboleth SP/opensaml).
In this case, the expected result, I think, should be:
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" /> </samlp:StatusCode> </samlp:Status>
