Incompatible ID

Question

Incompatible ID

markmishaev opened this issue 7 years ago · comments

When validating SAML response with OneLogin SAML tools, the validation fails because of incorrect IDs format (response and assertion).

https://www.samltool.com/validate_response.php

Thijs Kinkhorst · Answer 1 · Wed May 31 2017 19:12:40 GMT+0800 (China Standard Time)

Agreed - may not start with digit. Fix is to always prefix with e.g. MU or _.

@oharsta

Okke Harsta · Answer 2 · Wed May 31 2017 19:37:27 GMT+0800 (China Standard Time)

4931ef0

https://build.openconext.org/repository/public/releases/org/openconext/mujina-idp/5.0.6/
https://build.openconext.org/repository/public/releases/org/openconext/mujina-sp/5.0.6/

Mark Mishaev · Answer 3 · Wed May 31 2017 19:46:00 GMT+0800 (China Standard Time)

There is better solution:
private final IdentifierGenerator idGenerator;
this.idGenerator = new SecureRandomIdentifierGenerator();
private String idUnique() {
return idGenerator.generateIdentifier();
}
Btw, the same should be done with AssertionID:
Assertion assertion = buildAssertion(principal, status, entityId);
assertion.setID(idUnique());

Guys, please take a look.

Okke Harsta · Answer 4 · Wed May 31 2017 19:55:21 GMT+0800 (China Standard Time)

In my commit I covered all SAML ID's including the Assertion. See https://github.com/OpenConext/Mujina/blob/master/mujina-common/src/main/java/mujina/saml/SAMLBuilder.java#L117

Mark Mishaev · Answer 5 · Wed May 31 2017 19:57:14 GMT+0800 (China Standard Time)

I see, thanks!