generated AuthnRequest is not compliant with the "regole tecniche"
simevo opened this issue · comments
sample AuthnRequest
from "regole tecniche":
<ns0:AuthnRequest
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="http://spidSp.spidSpProvider.it"
AttributeConsumingServiceIndex="1"
Destination="https:// spidIdp.spidIdpProvider.it"
ID="_4d38c302617b5bf98951e65b4cf304711e2166df20"
IssueInstant="2015-01-29T10:00:31Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<ns1:Issuer
NameQualifier="http://spid-sp.it"
Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
SPID-sp-test
</ns1:Issuer>
<ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
<ns0:RequestedAuthnContext
Comparison="exact">
<ns1:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL1
</ns1:AuthnContextClassRef >
</ns0:RequestedAuthnContext>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ......</ds:Signature>
</ns0:AuthnRequest>
sample AuthnRequest
generated by spid-php2:
<ns0:AuthnRequest
xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="http://localhost:8000/index.php?acs"
Destination="http://idp.simevo.com:8088/sso"
ID="ONELOGIN_b2005214b263804df4ee09e67be44746f47f176b"
IssueInstant="2018-07-01T14:49:53Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<ns1:Issuer>http://localhost:8000/metadata.php</ns1:Issuer>
<ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
<ns0:RequestedAuthnContext Comparison="exact">
<ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ns1:AuthnContextClassRef>
</ns0:RequestedAuthnContext>
</ns0:AuthnRequest>
notable differences:
- in the
Issuer
element the attributesFormat=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity”
andNameQualifier
are missing - the element
NameIDPolicy
has theFormat
attribute set tourn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
rather thanurn:oasis:names:tc:SAML:2.0:nameid-format:transient
- the element
RequestedAuthnContext.AuthnContextClassRef
contains the valueurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
instead ofurn:oasis:names:tc:SAML:2.0:ac:classes:SpidL1
it seems that this could be fixed by patching saml-php:
Issuer
is hardwired here: https://github.com/onelogin/php-saml/blob/3.0.0/src/Saml2/AuthnRequest.php#L145- there's a setting for that: https://github.com/onelogin/php-saml/blob/3.0.0/settings_example.php#L62 and the one we need is supported: https://github.com/onelogin/php-saml/blob/3.0.0/src/Saml2/Constants.php#L35
- there's a setting for that: https://github.com/onelogin/php-saml/blob/3.0.0/advanced_settings_example.php#L70
quick fix for 1.:
diff AuthnRequest_orginal.php ./vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php
145c145
< <saml:Issuer>{$spEntityId}</saml:Issuer>
---
> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="http://localhost:8000">{$spEntityId}</saml:Issuer>
forwarded to php-saml:
SAML-Toolkits/php-saml#328
additionally, the NameIDPolicy
element is not allowed to have theAllowCreate
attribute; here is the complete patch for v 2.x:
56,57c56
< Format="{$nameIDPolicyFormat}"
< AllowCreate="true" />
---
> Format="{$nameIDPolicyFormat}" />
130c129
< <saml:Issuer>{$spEntityId}</saml:Issuer>
---
> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="http://sp2.simevo.com:8000">{$spEntityId}</saml:Issuer>
LogoutRequest
also not compliant:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_4dc8ccb81114cefe1d3f695123b02ddf85c51be4"
Version="2.0"
IssueInstant="2018-08-11T08:57:28Z"
Destination="https://idp.simevo.com/slo">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
NameQualifier="http://sp2.simevo.com:8000">http://sp2.simevo.com:8000</saml:Issuer>
<saml:NameID SPNameQualifier="http://sp2.simevo.com:8000"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.simevo.com</saml:NameID>
</samlp:LogoutRequest>
testenv2 reports:
Elemento | Dettagli errore |
---|---|
saml:NameID | NameQualifier: L'attributo è obbligatorio; Format: urn:oasis:names:tc:SAML:2.0:nameid-format:entity è diverso dal valore di riferimento urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
no need to patch this time, this is the fix that goes in src/Strategy/SpOneLogin.php
around line 166:
+ $nameId = $this->idpName;
+ $nameIdFormat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+ $nameIdNameQualifier = $this->idpName;
+ $sloBuiltUrl = $this->auth->logout(null, array(), $nameId, null, true, $nameIdFormat, $nameIdNameQualifier);
- $sloBuiltUrl = $this->auth->logout(null, array(), null, null, true);