Add Destination attribute for SAML ECP Response
The Destination attribute on SAML Response element was not being set when handling an ECP response. It is a requirement of SAML 2.0 that signed values contain a Destination attribute on the root element otherwise the client will reject the response. This is documented in the SAML Bindings Specification, Section 3.4.5.2 "Security Considerations": If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received. Normally on login one calls lasso_saml20_login_build_authn_response_msg() which then calls lasso_saml20_profile_build_response_msg() which sets the Destination attribute on the SAML Response. But when doing ECP you do not call lasso_saml20_login_build_authn_response_msg(), instead you call call lasso_saml20_login_build_response_msg() and if it's ECP it then calls lasso_node_export_to_ecp_soap_response(). Thus the ECP response never gets the Destination attribute set because of the different code path, plus for ECP the destination is different, it's the assertion consumer service. FWIW this line of code was copied almost verbatim from lasso_saml20_profile_build_response_msg which also sets the Destination attribute. License: MIT Signed-off-by: John Dennis <jdennis@redhat.com>
This commit is contained in:
parent
236410bf91
commit
ec73384ccf
|
@ -1029,6 +1029,10 @@ lasso_saml20_login_build_response_msg(LassoLogin *login)
|
|||
= g_strdup(assertionConsumerURL);
|
||||
}
|
||||
|
||||
/* If response is signed it MUST have Destination attribute, optional otherwise */
|
||||
lasso_assign_string(((LassoSamlp2StatusResponse*)profile->response)->Destination,
|
||||
assertionConsumerURL);
|
||||
|
||||
/* build an ECP SOAP Response */
|
||||
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_ecp_soap_response(
|
||||
LASSO_NODE(profile->response), assertionConsumerURL));
|
||||
|
|
Loading…
Reference in New Issue