Add Destination attribute for SAML ECP Response

The Destination attribute on SAML Response element was not being set
when handling an ECP response. It is a requirement of SAML 2.0 that
signed values contain a Destination attribute on the root element
otherwise the client will reject the response. This is documented in
the SAML Bindings Specification, Section 3.4.5.2 "Security
Considerations":

    If the message is signed, the Destination XML attribute in the
    root SAML element of the protocol message MUST contain the URL to
    which the sender has instructed the user agent to deliver the
    message. The recipient MUST then verify that the value matches the
    location at which the message has been received.

Normally on login one calls
lasso_saml20_login_build_authn_response_msg() which then calls
lasso_saml20_profile_build_response_msg() which sets the Destination
attribute on the SAML Response. But when doing ECP you do not call
lasso_saml20_login_build_authn_response_msg(), instead you call call
lasso_saml20_login_build_response_msg() and if it's ECP it then calls
lasso_node_export_to_ecp_soap_response(). Thus the ECP
response never gets the Destination attribute set because of the
different code path, plus for ECP the destination is different, it's
the assertion consumer service.

FWIW this line of code was copied almost verbatim from
lasso_saml20_profile_build_response_msg which also sets the
Destination attribute.

License: MIT
Signed-off-by: John Dennis <jdennis@redhat.com>
This commit is contained in:
John Dennis 2015-03-10 17:52:52 -04:00 committed by Benjamin Dauvergne
parent 236410bf91
commit ec73384ccf
1 changed files with 4 additions and 0 deletions

View File

@ -1029,6 +1029,10 @@ lasso_saml20_login_build_response_msg(LassoLogin *login)
= g_strdup(assertionConsumerURL);
}
/* If response is signed it MUST have Destination attribute, optional otherwise */
lasso_assign_string(((LassoSamlp2StatusResponse*)profile->response)->Destination,
assertionConsumerURL);
/* build an ECP SOAP Response */
lasso_assign_new_string(profile->msg_body, lasso_node_export_to_ecp_soap_response(
LASSO_NODE(profile->response), assertionConsumerURL));