SAML URL encoding bugs (possibly Azure only)
1oglop1 opened this issue · comments
There is a bug in urls
Because Onelogin
SP assertionConsumerService.url
overrides reply url configured in IdP (Azure AD), data being POST
ed to wrong url.
Causing django_saml2_pro_auth.utils.SAMLError: No provider specified in request
.
Example:
settings.py
SAML_PROVIDERS = [{
"MyProvider": {
"strict": False,
"debug": True,
"sp": {
"entityId": "https://test.app.jan",
"assertionConsumerService": {
"url": "http://localhost:9876/sso/saml/?acs",
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SAML Request
contains
AssertionConsumerServiceURL="http://localhost:9876/sso/saml/?acs"
But django-saml2-pro-auth
is expecting /sso/saml/?acs&provider=MyProvider
.
I tried this workaround:
So I tried to change assertionConsumerService.url
to "url": "http://localhost:9876/sso/saml/?acs&provider=MyProvider
.
Hence this this has been rejected at Microsoft site as Bad Request
AADSTS75005: The request is not a valid Saml2 protocol message.
My guess was the problem of url encoding
and decoding
, then I changed &
to %26
"url": "http://localhost:9876/sso/saml/?acs%26provider=MyProvider
which did the trick for sending of request.
But plugin does not know how to decode url in SAML response Destination="http://localhost:9876/sso/saml/?acs% 26provider=MyProvider"
I guess this is partially problem of OneLogin
You're right on the encoding thing, that's on me, I forgot to update the docs. However, you're doing encoding purely for URL schemes and not for XML. The config dict ultimately gets converted into an XML document for SAML2 stuff so values have to be compliant. Check out the standard . What you want to do is to use &
. So it looks like "url": "http://localhost:9876/sso/saml/?acs&provider=MyProvider"
Let me know if that helps
@defionscode
Yeah! Thanks I totally forgot about escaping in XML, since most stuff I have worked with did the conversion behind the scenes.
I will continue my adventure now.