Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-647

IdPFilter does not correctly handle SAML assertion attributes or invoke custom attribute managers when doing IdP initiated auth use cases

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • PLINK_2.7.0.CR3
    • PLINK_2.6.0.CR5
    • SAML
    • None

    Description

      When using the IdPFilter (as opposed to IDPWebBrowserSSOValve) in conjunction with a custom attribute manager, the following issues occur:

      1. Custom attribute manager is not invoked.
      2. Every time an IdP-initiated SAML request is made, an additional (duplicated) block of Role attributes are added to the resulting SAML assertion. For example, if you access a url like this http://localhost:8080/idp/?SAML_VERSION=2.0&TARGET=https://training-lms-test.redhat.com/Saml/Logon&SAML_BINDING=POST, you will see a saml assertion similar to this:

      <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
      IssueInstant="2014-12-12T16:18:31.996Z"
      MajorVersion="1"
      MinorVersion="1"
      ResponseID="ID_ccf93504-1f2b-4102-8a26-81d1577f466f"
      >
      <samlp:Status>
      <samlp:StatusCode Value="samlp:Success" />
      </samlp:Status>
      <saml:Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
      AssertionID="ID_62d6d29f-5368-4065-b068-5cf67381836d"
      IssueInstant="2014-12-12T16:18:06.393Z"
      Issuer="http://localhost:8080/idp/"
      MajorVersion="1"
      MinorVersion="1"
      xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
      >
      <saml:Conditions NotBefore="2014-12-12T16:18:04.393Z"
      NotOnOrAfter="2014-12-12T16:18:13.393Z"
      />
      <saml:AuthenticationStatement AuthenticationInstant="2014-12-12T16:18:06.393Z"
      AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"
      >
      <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
      <saml:NameIdentifier>vkumar51</saml:NameIdentifier>
      </saml:Subject>
      </saml:AuthenticationStatement>
      <saml:AttributeStatement>
      <saml:Attribute AttributeName="Role"
      AttributeNamespace="urn:picketlink:role"
      >
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string"
      >idp_authenticated</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      <saml:AttributeStatement>
      <saml:Attribute AttributeName="Role"
      AttributeNamespace="urn:picketlink:role"
      >
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string"
      >idp_authenticated</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      <saml:AttributeStatement>
      <saml:Attribute AttributeName="Role"
      AttributeNamespace="urn:picketlink:role"
      >
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string"
      >idp_authenticated</saml:AttributeValue>
      </saml:Attribute>
      </saml:AttributeStatement>
      </saml:Assertion>
      </samlp:Response>

      This behavior does not occur if you use the SAML valve, however we have other requirements that dictate we use the IDPFilter.

      Attachments

        Issue Links

          duplicates

          Bug - A problem that impairs or prevents the functions of the product. PLINK-648 IDPFilter does not supports SAML 2.0 Unsolicited Responses

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              rhit_mcirioli michael cirioli (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: