SAML URL encoding bugs (possibly Azure only)
1oglop1 opened this issue · comments
There is a bug in urls
Because Onelogin SP assertionConsumerService.url overrides reply url configured in IdP (Azure AD), data being POSTed to wrong url.
Causing django_saml2_pro_auth.utils.SAMLError: No provider specified in request.
Example:
settings.py
SAML_PROVIDERS = [{
"MyProvider": {
"strict": False,
"debug": True,
"sp": {
"entityId": "https://test.app.jan",
"assertionConsumerService": {
"url": "http://localhost:9876/sso/saml/?acs",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SAML Request contains
AssertionConsumerServiceURL="http://localhost:9876/sso/saml/?acs"
But django-saml2-pro-auth is expecting /sso/saml/?acs&provider=MyProvider.
I tried this workaround:
So I tried to change assertionConsumerService.url to "url": "http://localhost:9876/sso/saml/?acs&provider=MyProvider.
Hence this this has been rejected at Microsoft site as Bad Request
AADSTS75005: The request is not a valid Saml2 protocol message.
My guess was the problem of url encoding and decoding, then I changed & to %26
"url": "http://localhost:9876/sso/saml/?acs%26provider=MyProvider which did the trick for sending of request.
But plugin does not know how to decode url in SAML response Destination="http://localhost:9876/sso/saml/?acs% 26provider=MyProvider"
I guess this is partially problem of OneLogin
You're right on the encoding thing, that's on me, I forgot to update the docs. However, you're doing encoding purely for URL schemes and not for XML. The config dict ultimately gets converted into an XML document for SAML2 stuff so values have to be compliant. Check out the standard . What you want to do is to use &. So it looks like "url": "http://localhost:9876/sso/saml/?acs&provider=MyProvider"
Let me know if that helps
@defionscode
Yeah! Thanks I totally forgot about escaping in XML, since most stuff I have worked with did the conversion behind the scenes.
I will continue my adventure now.