When the same URL was used for many bindings, the current code did not
work. Now we use
lasso_saml20_provider_check_assertion_consumer_service_url() to validate
url and binding are matching, if no binding is suggested we take the
first one defined for this URL.
Using AssertionConsumerServiceIndex and any of the other assertion
consumer designator attributes is still forbidden.
Fix a mistake in the documentation markup that prevented the
doc from building, needed to reverse the order of two tags.
Remove the $(PYTHON) from TESTS_ENVIRONMENT, it was causing
python to be invoked passing /bin/sh to it as a script.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
The Destination attribute on SAML Response element was not being set
when handling an ECP response. It is a requirement of SAML 2.0 that
signed values contain a Destination attribute on the root element
otherwise the client will reject the response. This is documented in
the SAML Bindings Specification, Section 3.4.5.2 "Security
Considerations":
If the message is signed, the Destination XML attribute in the
root SAML element of the protocol message MUST contain the URL to
which the sender has instructed the user agent to deliver the
message. The recipient MUST then verify that the value matches the
location at which the message has been received.
Normally on login one calls
lasso_saml20_login_build_authn_response_msg() which then calls
lasso_saml20_profile_build_response_msg() which sets the Destination
attribute on the SAML Response. But when doing ECP you do not call
lasso_saml20_login_build_authn_response_msg(), instead you call call
lasso_saml20_login_build_response_msg() and if it's ECP it then calls
lasso_node_export_to_ecp_soap_response(). Thus the ECP
response never gets the Destination attribute set because of the
different code path, plus for ECP the destination is different, it's
the assertion consumer service.
FWIW this line of code was copied almost verbatim from
lasso_saml20_profile_build_response_msg which also sets the
Destination attribute.
License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
If find_path() does not find MinorVersion, then no value is changed and
we repeate the search with the values for thr major version.
Check if we have found anything and if not set the minor version to 0.
License: MIT
Signed-off-by: Simo Sorce <simo@redhat.com>