generated AuthnRequest is not compliant with the "regole tecniche"

Question

generated AuthnRequest is not compliant with the "regole tecniche"

simevo opened this issue 6 years ago · comments

sample AuthnRequest from "regole tecniche":

<ns0:AuthnRequest
  xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
  AssertionConsumerServiceURL="http://spidSp.spidSpProvider.it"
  AttributeConsumingServiceIndex="1"
  Destination="https:// spidIdp.spidIdpProvider.it"
  ID="_4d38c302617b5bf98951e65b4cf304711e2166df20"
  IssueInstant="2015-01-29T10:00:31Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  Version="2.0">
  <ns1:Issuer
    NameQualifier="http://spid-sp.it"
    Format=" urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
  SPID-sp-test
  </ns1:Issuer>
  <ns0:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
  <ns0:RequestedAuthnContext
    Comparison="exact">
    <ns1:AuthnContextClassRef>
      urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL1
    </ns1:AuthnContextClassRef >
  </ns0:RequestedAuthnContext>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ......</ds:Signature>
</ns0:AuthnRequest>

sample AuthnRequest generated by spid-php2:

<ns0:AuthnRequest
  xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"
  AssertionConsumerServiceURL="http://localhost:8000/index.php?acs"
  Destination="http://idp.simevo.com:8088/sso"
  ID="ONELOGIN_b2005214b263804df4ee09e67be44746f47f176b"
  IssueInstant="2018-07-01T14:49:53Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  Version="2.0">
  <ns1:Issuer>http://localhost:8000/metadata.php</ns1:Issuer>
  <ns0:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
  <ns0:RequestedAuthnContext Comparison="exact">
    <ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ns1:AuthnContextClassRef>
  </ns0:RequestedAuthnContext>
</ns0:AuthnRequest>

visual diff:

notable differences:

in the Issuer element the attributes Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity” and NameQualifier are missing
the element NameIDPolicy has the Format attribute set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified rather than urn:oasis:names:tc:SAML:2.0:nameid-format:transient
the element RequestedAuthnContext.AuthnContextClassRef contains the value urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport instead of urn:oasis:names:tc:SAML:2.0:ac:classes:SpidL1

simevo · Answer 1 · Mon Jul 02 2018 00:35:35 GMT+0800 (China Standard Time)

it seems that this could be fixed by patching saml-php:

Issuer is hardwired here: https://github.com/onelogin/php-saml/blob/3.0.0/src/Saml2/AuthnRequest.php#L145
there's a setting for that: https://github.com/onelogin/php-saml/blob/3.0.0/settings_example.php#L62 and the one we need is supported: https://github.com/onelogin/php-saml/blob/3.0.0/src/Saml2/Constants.php#L35
there's a setting for that: https://github.com/onelogin/php-saml/blob/3.0.0/advanced_settings_example.php#L70

simevo · Answer 2 · Mon Jul 02 2018 00:42:52 GMT+0800 (China Standard Time)

quick fix for 1.:

diff AuthnRequest_orginal.php ./vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php 
145c145
<     <saml:Issuer>{$spEntityId}</saml:Issuer>
---
>     <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="http://localhost:8000">{$spEntityId}</saml:Issuer>

simevo · Answer 3 · Mon Jul 09 2018 03:11:53 GMT+0800 (China Standard Time)

forwarded to php-saml:
SAML-Toolkits/php-saml#328

simevo · Answer 4 · Mon Jul 16 2018 16:58:31 GMT+0800 (China Standard Time)

additionally, the NameIDPolicy element is not allowed to have theAllowCreate attribute; here is the complete patch for v 2.x:

56,57c56
<         Format="{$nameIDPolicyFormat}"
<         AllowCreate="true" />
---
>         Format="{$nameIDPolicyFormat}" />
130c129
<     <saml:Issuer>{$spEntityId}</saml:Issuer>
---
>     <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="http://sp2.simevo.com:8000">{$spEntityId}</saml:Issuer>

simevo · Answer 5 · Sat Jul 21 2018 17:31:18 GMT+0800 (China Standard Time)

valutare anche queste patch:
https://github.com/italia/spid-laravel/blob/master/patches/php-saml-remove_mcrypt-spid.patch
http://cgit.drupalcode.org/spid/tree/patch/onelogin-php-saml-for-spid.patch

simevo · Answer 6 · Sat Aug 11 2018 17:04:08 GMT+0800 (China Standard Time)

LogoutRequest also not compliant:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="ONELOGIN_4dc8ccb81114cefe1d3f695123b02ddf85c51be4"
                     Version="2.0"
                     IssueInstant="2018-08-11T08:57:28Z"
                     Destination="https://idp.simevo.com/slo">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
               NameQualifier="http://sp2.simevo.com:8000">http://sp2.simevo.com:8000</saml:Issuer>
  <saml:NameID SPNameQualifier="http://sp2.simevo.com:8000"
               Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.simevo.com</saml:NameID>
</samlp:LogoutRequest>

testenv2 reports:

Elemento	Dettagli errore
saml:NameID	NameQualifier: L'attributo è obbligatorio; Format: urn:oasis:names:tc:SAML:2.0:nameid-format:entity è diverso dal valore di riferimento urn:oasis:names:tc:SAML:2.0:nameid-format:transient

screenshot:

simevo · Answer 7 · Sat Aug 11 2018 17:35:39 GMT+0800 (China Standard Time)

no need to patch this time, this is the fix that goes in src/Strategy/SpOneLogin.php around line 166:

+       $nameId = $this->idpName;
+       $nameIdFormat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+       $nameIdNameQualifier = $this->idpName;
+       $sloBuiltUrl = $this->auth->logout(null, array(), $nameId, null, true, $nameIdFormat, $nameIdNameQualifier);
-       $sloBuiltUrl = $this->auth->logout(null, array(), null, null, true);