From ec73384ccf704096daf9b9151e5c5389e047ec96 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Tue, 10 Mar 2015 17:52:52 -0400 Subject: [PATCH] Add Destination attribute for SAML ECP Response The Destination attribute on SAML Response element was not being set when handling an ECP response. It is a requirement of SAML 2.0 that signed values contain a Destination attribute on the root element otherwise the client will reject the response. This is documented in the SAML Bindings Specification, Section 3.4.5.2 "Security Considerations": If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received. Normally on login one calls lasso_saml20_login_build_authn_response_msg() which then calls lasso_saml20_profile_build_response_msg() which sets the Destination attribute on the SAML Response. But when doing ECP you do not call lasso_saml20_login_build_authn_response_msg(), instead you call call lasso_saml20_login_build_response_msg() and if it's ECP it then calls lasso_node_export_to_ecp_soap_response(). Thus the ECP response never gets the Destination attribute set because of the different code path, plus for ECP the destination is different, it's the assertion consumer service. FWIW this line of code was copied almost verbatim from lasso_saml20_profile_build_response_msg which also sets the Destination attribute. License: MIT Signed-off-by: John Dennis --- lasso/saml-2.0/login.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c index 95779d17..cd754242 100644 --- a/lasso/saml-2.0/login.c +++ b/lasso/saml-2.0/login.c @@ -1029,6 +1029,10 @@ lasso_saml20_login_build_response_msg(LassoLogin *login) = g_strdup(assertionConsumerURL); } + /* If response is signed it MUST have Destination attribute, optional otherwise */ + lasso_assign_string(((LassoSamlp2StatusResponse*)profile->response)->Destination, + assertionConsumerURL); + /* build an ECP SOAP Response */ lasso_assign_new_string(profile->msg_body, lasso_node_export_to_ecp_soap_response( LASSO_NODE(profile->response), assertionConsumerURL));