Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate audience with entityIssuer if present, use redirectURI otherwise #896

Merged
merged 1 commit into from
Apr 6, 2017
Merged

Validate audience with entityIssuer if present, use redirectURI otherwise #896

merged 1 commit into from
Apr 6, 2017

Conversation

Calpicow
Copy link
Contributor

@Calpicow Calpicow commented Apr 6, 2017

Comparing with the spec, it appears that Audience values refer to EntityIssuer, and not RedirectURI (though in most cases they are the same, but not all).

This sets EntityIssuer to RedirectURI by default if it is not explicitly set, allowing implementations that need it to function correctly.

Spec: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

We see that EntityIssuer is https://sp.example.com/SAML2, but Destination is https://sp.example.com/SAML2/SSO/POST

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
AssertionConsumerServiceIndex="1">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_2"
InResponseTo="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z"
Destination="https://sp.example.com/SAML2/SSO/POST">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_3"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<!-- a POSTed assertion MUST be signed -->
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="identifier_1"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05Z"
NotOnOrAfter="2004-12-05T09:27:05Z">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00Z"
SessionIndex="identifier_3">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

ericchiang
ericchiang reviewed Apr 6, 2017
View reviewed changes
connector/saml/saml.go Outdated
@@ -154,6 +154,11 @@ func (c *Config) openConnector(logger logrus.FieldLogger) (*provider, error) {
return nil, fmt.Errorf("missing required fields %q", missing)
}

// Set EntityIssuer to RedirectURI if it is not set
if c.EntityIssuer == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't want to send this if EntityIssuer isn't explicitly set. Issuer is optional and since you stated this wasn't a safe assumption I think it's safer to avoid this default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, pushed new change

@Calpicow Calpicow force-pushed the audience_validate_fix branch 2 times, most recently from 6993e63 to 334a7b3 Compare April 6, 2017 21:23
ericchiang
ericchiang reviewed Apr 6, 2017
View reviewed changes
connector/saml/saml.go
@@ -466,21 +466,25 @@ func (p *provider) validateConditions(assertion *assertion) error {
}
}
// Validates audience
audienceValue := p.entityIssuer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works for me, but do you think it'd be better to make entityIssuer required? I'm a little on the fence, but it seems like this is important when verifying the audience restrictions.

Would like to know what sounds more reasonable to you.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'll be ok as long as we make it clear in the documentation. Let me add it.

ericchiang
ericchiang approved these changes Apr 6, 2017
View reviewed changes
Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ericchiang ericchiang merged commit 53acaa9 into dexidp:master Apr 6, 2017
@Calpicow Calpicow deleted the audience_validate_fix branch June 20, 2017 20:41
mmrath pushed a commit to mmrath/dex that referenced this pull request Sep 2, 2019
@ericchiang
Merge pull request dexidp#896 from Calpicow/audience_validate_fix
ad6258e 
Validate audience with entityIssuer if present, use redirectURI otherwise
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericchiang ericchiang ericchiang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Calpicow @ericchiang