SAML-2.0: rework on commit 05fe802b8d, improve handling of ProtocolBinding and AssertionConsumerServiceURL

When the same URL was used for many bindings, the current code did not
work. Now we use
lasso_saml20_provider_check_assertion_consumer_service_url() to validate
url and binding are matching, if no binding is suggested we take the
first one defined for this URL.

Using AssertionConsumerServiceIndex and any of the other assertion
consumer designator attributes is still forbidden.
This commit is contained in:
Benjamin Dauvergne 2015-03-26 19:34:28 +01:00
parent bbcee8a480
commit 9f99176b3c
3 changed files with 49 additions and 20 deletions

View File

@ -303,9 +303,6 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
remote_provider->role = LASSO_PROVIDER_ROLE_SP;
server->parent.role = LASSO_PROVIDER_ROLE_IDP;
/* Normally those three attributes are mutually exclusive, but Google Apps send
* ProtocolBinding and AssertionConsumerServiceURL at the same time, so we support this case
* by validating that it matches the same endpoint */
if (((authn_request->ProtocolBinding != NULL) ||
(authn_request->AssertionConsumerServiceURL != NULL)) &&
(authn_request->AssertionConsumerServiceIndex != -1))
@ -318,19 +315,26 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
protocol_binding = authn_request->ProtocolBinding;
if (protocol_binding || authn_request->AssertionConsumerServiceURL)
{
const gchar *acs_url_binding = NULL;
if (authn_request->AssertionConsumerServiceURL) {
acs_url_binding = lasso_saml20_provider_get_assertion_consumer_service_binding_by_url(
remote_provider, authn_request->AssertionConsumerServiceURL);
if (! acs_url_binding) {
// Sent ACS URL is unknown
rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;
goto cleanup;
}
if (! protocol_binding) {
// Only ACS URL sent
protocol_binding = acs_url_binding;
if (protocol_binding) {
if (! lasso_saml20_provider_check_assertion_consumer_service_url(
remote_provider,
authn_request->AssertionConsumerServiceURL,
authn_request->ProtocolBinding)) {
// Sent ACS URL is unknown
rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;
goto cleanup;
}
} else {
// Only ACS URL sent, choose the first associated binding
protocol_binding = lasso_saml20_provider_get_assertion_consumer_service_binding_by_url(
remote_provider, authn_request->AssertionConsumerServiceURL);
if (! protocol_binding) {
rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;
goto cleanup;
}
lasso_assign_string(authn_request->ProtocolBinding,
protocol_binding);
}
}
@ -349,11 +353,6 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;
goto cleanup;
}
// We received both a protocolbinding and an acs url, check both matches
if (acs_url_binding && g_strcmp0(protocol_binding, acs_url_binding) != 0) {
rc = LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE;
goto cleanup;
}
} else {
/* protocol binding not set; so it will look into
* AssertionConsumerServiceIndex

View File

@ -90,6 +90,12 @@ LlTxKnCrWAXftSm1rNtewTsF
<AssertionConsumerService index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="http://sp5/singleSignOnSOAP" />
<AssertionConsumerService index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://sp5/singleSignOnPostAndArtifact" />
<AssertionConsumerService index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://sp5/singleSignOnPostAndArtifact" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</SPSSODescriptor>
<Organization>

View File

@ -1099,6 +1099,30 @@ START_TEST(test08_test_authnrequest_flags)
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
.stop_after_build_assertion = 1,
});
sso_initiated_by_sp2(idp_context, sp_context,
(SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnPost",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
.stop_after_build_assertion = 1,
});
sso_initiated_by_sp2(idp_context, sp_context,
(SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnArtifact",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
.stop_after_build_assertion = 1,
});
sso_initiated_by_sp2(idp_context, sp_context,
(SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_ARTIFACT,
.stop_after_build_assertion = 1,
});
sso_initiated_by_sp2(idp_context, sp_context,
(SsoSettings) {
.assertion_consumer_service_url = "http://sp5/singleSignOnPostAndArtifact",
.protocol_binding = LASSO_SAML2_METADATA_BINDING_POST,
.stop_after_build_assertion = 1,
});
unblock_lasso_logs;
/* Cleanup */