Details
-
Bug
-
Resolution: Done
-
Major
-
PLINK_2.6.0.Final, PLINK_2.7.0.Beta1
-
None
-
None
Description
AuthnRequests that fail in the IdP Valve due to an Exception being thrown respond with an incomplete samlp:Response.
For example:
Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://myshibsp.example.com/Shibboleth.sso/SAML2/POST" Destination="http://dev1-idp.example.com/idp/" ID="_4cc733c3ba0eb678f953f02e6ba49c6f" IssueInstant="2014-09-06T01:18:45Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myshibsp.example.com/Shibboleth</saml:Issuer> <samlp:NameIDPolicy AllowCreate="1" /> </samlp:AuthnRequest>
Response (signature truncated for simplicity)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_f089f5cb-d720-4f29-bf99-fc7bff4884d7" IssueInstant="2014-09-06T01:19:03.058Z" Version="2.0" > <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" /> </samlp:StatusCode> </samlp:Status> <dsig:Signature /> </samlp:Response>
When using an alternate SP, such as the Shibboleth SP, this results in an error:
opensaml::BindingException
Signed SAML message missing Destination attribute identifying intended destination.
The response above is missing the destination attribute, which should be present:
- Destination is required when the SAML is signed with Redirect binding, section 3.4.5.2 of the saml-bindings 2.0 spec (line 661 - 663)
- Destination is required when the SAML is signed with the Post binding, section 3.5.5.2 of the saml-bindings 2.0 spec (line 843 - 845)
After patching so that @Destination is present and based off of th, Shib processes the request instead of erroring. The same request/response are as follows:
Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://myshibsp.example.com/Shibboleth.sso/SAML2/POST" Destination="http://dev1-idp.example.com/idp/" ID="_d59555da9181ce8bc9a65f28e6dd8a8a" IssueInstant="2014-09-06T01:26:56Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myshibsp.example.com/Shibboleth</saml:Issuer> <samlp:NameIDPolicy AllowCreate="1" /> </samlp:AuthnRequest>
Response (signature truncated for simplicity)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://myshibsp.example.com/Shibboleth.sso/SAML2/POST" ID="ID_70635972-9bdb-4069-8e6b-7e4aa0a42695" IssueInstant="2014-09-06T01:27:20.063Z" Version="2.0" > <dsig:Signature /> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" /> </samlp:StatusCode> </samlp:Status> </samlp:Response>
The submitted pull request always includes the destination.
